CVE-2024-3094: Newly Discovered Backdoor in XZ tools

On 2024-03-29 a supply-chain backdoor was disclosed in xz-utils tarball releases 5.6.0 and 5.6.1 (CVE-2024-3094): malicious/obfuscated build scripts in the distributed tarballs alter the liblzma build to substitute checksum functions, enabling a backdoor and SSH checksum bypass; the trojanized code was present in tarball distributions (not upstream GitHub), impacts multiple Linux distributions and cloud images, and has triggered vendor and CISA advisories with mitigation guidance to stop use and downgrade to xz-5.4.x.