XZ backdoor story – Initial analysis

A sophisticated multi-stage supply‑chain backdoor was introduced into XZ Utils (liblzma), shipped in releases 5.6.0/5.6.1 and distributed via some Linux vendor builds; the attack used hidden test files and a malicious build script to inject an object file that alters symbol resolution and hooks OpenSSL/OpenSSH internals (via IFUNC/GOT/symbind) to target sshd, enabling stealthy remote compromise. The analysis details the implantation chain, binary behavior, hooking mechanisms, execution checks, and provides hashes and YARA rules for detection.