CVE-2024-3094

This report describes a sophisticated supply-chain attack that implants a backdoor into liblzma/XZ Utils test artifacts to modify SSHD behavior (CVE-2024-3094). The multi-stage payload targets Linux x86_64 builds, verifies environment variables, injects code into liblzma to alter RSA_public_decrypt, decrypts attacker payloads with ChaCha20 and verifies them with Ed448, and executes arbitrary commands on the SSH server before authentication; signatures are bound to the host public key so only the attacker can generate valid payloads.