XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack

A malicious, maintainer-level backdoor was discovered in the liblzma component of XZ Utils (CVE-2024-3094), enabling attackers to bypass SSH authentication and obtain full system access. The backdoor was introduced via a long-term social-engineering campaign by a contributor who gained commit access; affected versions (5.6.0 and 5.6.1) appear in unstable/beta releases of several Linux distributions. Multiple vendors and CISA issued urgent advisories recommending downgrades or reverts, and tools/scanners have been released to detect the compromised binaries.