Best of 2024: An Accidental Discovery of a Backdoor Likely Prevented Thousands of Infections

An accidental discovery revealed a long-lived supply-chain backdoor hidden in the xz compression library via obfuscated configure-script changes; the injected code in liblzma could compromise OpenSSH when distributions link xz into sshd. The actor using the pseudonym "Jia Tan" introduced the changes over years and pressured some maintainers to ship the backdoored versions; the issue was found because of valgrind errors and SSH performance issues, likely preventing a much broader infection across distributions.