Attacker Social-Engineered Backdoor Code Into XZ Utils

Kaspersky and other analysts describe a prolonged, low-and-slow supply-chain compromise of the XZ Utils open-source project in which an adversary used multiple fabricated personas and social engineering over years to gain maintainer access and insert a backdoor into liblzma; the backdoored library reached unstable/beta releases of several Linux distributions, prompting warnings from the Open Source Security Foundation and calls for maintainers to guard against social-engineering takeovers.