Popular Rust Crate liblzma-sys Compromised with XZ Utils Backdoor Files

Researchers found a multi-stage backdoor in XZ Utils (affecting releases 5.6.0/5.6.1) and test files included in the liblzma-sys 0.3.2 Rust crate; the malicious build scripts and test-case files delivered a payload that hooks SSH-related crypto functions to monitor and execute commands during SSH sessions. The tainted crate was pulled and a cleaned release issued, but the operation demonstrates a sophisticated, coordinated supply-chain compromise—attributed as likely state-sponsored—and underscores risks to open-source package ecosystems.