XZ Backdoor Linux Hack

Submission 4,196

Part of a series on Linux. [View Related Entries]

About

XZ Backdoor Linux Hack refers to the discovery of a malicious "backdoor" in XZ compression tools used in some newer versions of open-source Linux systems. Microsoft engineer Andres Freund found the backdoor in late March 2024 after he noticed a half-second lag while logging into his machine. Further investigation revealed code introduced into the system over the course of two years by a developer named Jia Tan that aimed to grant remote access to every computer running the latest versions of Linux-based operating systems Ubuntu, Fedora and Debian. Engineers and tech enthusiasts shared memes about Freund's discovery, with many jokes leveraging the fact that he was tipped off by a mere 500-millisecond delay in his system.

Origin

On March 29th, 2024, Microsoft engineer Andres Freund made a post on Mastodon^[1] urging people who run "Debian Testing, Unstable, or some other more 'bleeding edge' distribution" to upgrade their Linux systems as soon as possible (seen below). He shared a document about how he discovered a backdoor in the XZ compression tool used in Linux distributions, saying that he was tipped off by a minute lag in his system.

The backdoor commits were allegedly added by a developer known online as Jia Tan over the course of two years, with work logs indicating that their contributions took place at regular weekly intervals as part of a 9-5 job (seen below, left).^[3] Moreover, some developers shared on YCombinator^[4] that Jia Tan had urged them to add the compromised XZ feature to newer versions of Fedora (seen below, right).

Spread

News about Andres Freund's discovery made it to X / Twitter on March 29th, 2024, with X^[2]^[5] user @thegrugq questioning the role of Jia Tan in the hack, saying that it is unlikely that they were an innocent but compromised developer, and adding that the end goal of the hack would have been access to every system running Fedora, Debian and Ubuntu. The post gathered over 5,000 likes in a day (seen below).

On March 30th, Redditors^[9] on /r/Linux theorized that the XZ backdoor must have been the work of malicious state actors, with Jia Tan being a pseudonym for an entire team of workers undertaking a long-term state-sponsored campaign (seen below. left). Also on March 30th, Redditor^[10] /u/shy_cthulhu posted a Cat Looks Inside meme about he backdoor to /r/linuxmemes, gathering over 800 upvotes in a day.

On March 30th, 2024, X^[6] user @vxunderground made a post calling Andres Freund the "silver back gorilla of nerds" and the "internet final boss," gathering over 18,000 likes in a day (seen below, left). That same day, X^[7] user @0x_shaq joked about installing the compromised software on their system, gathering over 3,000 likes in a day (seen below, right).

Also on March 30th, X^[8] user @mippl3 posted a video of Steph Curry discovering a defect in the basketball court because of a failed dribble, writing, "This is explains how the xz backdoor was found," and gathering over 12,000 likes in a day (seen below).