Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

The report describes a sophisticated supply-chain compromise in the XZ Utils compression utility (tracked as CVE-2024-3094) where a project maintainer introduced a backdoor into released tarballs (5.6.0 and 5.6.1) that allows remote attackers with a predetermined private key to hijack the SSH daemon and execute arbitrary code; the intrusion involved multi-year social engineering, sockpuppet accounts, and is assessed as likely state-level in complexity.