XZ Utils CVE-2024-3094: A Tale of Broken Trust, Curious Persistence, and a Call to Action

A backdoor (tracked as CVE-2024-3094) was discovered in XZ Utils (liblzma) versions 5.6.0 and 5.6.1, covertly embedded in XZ-format test tarballs by a contributor who had built trust over years; the backdoor could allow SSH authentication bypass and remote code execution on affected Linux systems, representing a high-risk supply-chain compromise that impacts distributors using those XZ versions and highlights the need for stronger open-source supply-chain protections.