Page 1 of 1
Malicious code in XZ supply chain and releases
Posted: Sat Mar 30, 2024 8:48 pm
by barbaz
Re: Malicious code in XZ supply chain and releases
Posted: Sun Mar 31, 2024 4:11 pm
by barbaz
Now this is interesting: Someone is making the point that because affected versions of xz-utils are GPL-licensed, the malware author and the xz-utils project are both legally required to provide the full source code for the malware (which was distributed only in obfuscated binary form) - github.com/tukaani-project/.github/issues/2
EDIT Broke dead link as both that issue and the account that posted it appear to have been deleted.
Re: Malicious code in XZ supply chain and releases
Posted: Tue Apr 02, 2024 3:26 pm
by therube
Re: Malicious code in XZ supply chain and releases
Posted: Sat May 10, 2025 12:24 pm
by [User canned by moderator]
This incident with malicious code in the XZ supply chain highlights just how vulnerable even widely trusted software can be. It’s a strong reminder that the software supply chain needs more rigorous auditing and better transparency across all levels. What's particularly concerning is how long this backdoor went unnoticed, showing the limits of our current review processes.
As the industry continues to move toward digital transformation, it's becoming more critical than ever to integrate stronger security practices into every stage of development and deployment.