XZ Utils backdoor incident (Incident)

A backdoor was found in XZ Utils releases 5.6.0 and 5.6.1 (CVE-2024-3094) that, via an obfuscated build-time injection, produces a compromised liblzma library capable of enabling SSH authentication bypass on certain Linux distributions where libsystemd and OpenSSH interact; the malicious code is present in released tarballs (not the git repo) and appears designed to evade fuzzing detection.