Red Hat Warns of Malware Embedded in Popular Linux Tool, Opening Doors for Unauthorized Access

Red Hat warns of a sophisticated supply-chain compromise in the xz/xz-libs packages (CVE-2024-3094): obfuscated malicious code in versions 5.6.0 and 5.6.1 can be triggered at build time via a hidden M4 macro and second-stage artifacts to produce binaries that interfere with sshd via systemd, potentially allowing unauthorized remote access. Affected distributions include Fedora Rawhide, Fedora 40 Beta, Debian unstable (Sid), and openSUSE; Red Hat reports RHEL is not affected and advises downgrading to xz 5.4.x and stopping use of Rawhide until fixes are applied.