A Deep Dive On The xz Compromise
TuxCare, Tuesday, April 2nd, 2024
xz is a widely distributed package that provides lossless compression for both users and developers, and is included by default in most, if not all, Linux distributions. Created in 2009, it has since released numerous versions.
As an open-source project, it is available on GitHub. However, as of the time of writing this article, attempting to visit the project page greets you with a message stating that 'this repository has been disabled due to a violation of the terms of service' instead of the traditional GitHub page. This violation was due to the distribution of malware. In this article, we dig into the what, the why, the how, and perhaps even the 'who' behind this incident.