The XZ Utils backdoor (CVE-2024-3094): Everything you need to know, and more

On March 28, 2024 a backdoor was discovered in xz-utils (versions 5.6.0 and 5.6.1, CVE-2024-3094) that drops a malicious shared object causing sshd to load code that hijacks OpenSSL's RSA_public_decrypt and enables remote code execution when an attacker has a specific private SSH key; multiple Linux distributions shipped the backdoored package, detection scripts and advisories are cited, and the operation is described as sophisticated, multi-year, and likely state-sponsored.