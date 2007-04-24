https://www.wired.com/story/jia-tan-xz-backdoor/
The Wired article linked above is a good high level overview. For those interested in the low level how does it work, how was it hidden details then this web page is a good read: The xz attack shell script
Quote from Wired article:
The scourge of software supply chain attacks—an increasingly common hacking technique that hides malicious code in a widely used legitimate program—can take many forms. Hackers can penetrate an update server to seed out their malware, or even break into the network where the software was developed to corrupt it at the source. Or, in the case of one particularly insidious software supply chain attacker known as Jia Tan, they can spend two years politely and enthusiastically volunteering to help.
Over the weekend, the cybersecurity and open source software community was shocked by the news that a relatively new, experimental version of XZ Utils—a compression utility integrated into many popular distributions of Linux—contained a backdoor that would have allowed hackers in possession of a specific private key to connect to the backdoored system and run their own commands as an administrator. Only some chance detective work carried out by a lone Microsoft engineer, Andres Freund—who'd detected a strange delay in how the remote connection protocol SSH was running in a version of the Linux variant Debian—caught the spy trick before it ended up in many millions of systems worldwide.
When I read this strip [schlockmercenary.com], I thought it was a little far-fetched for fiction. Truth appears to have proved me wrong.
The surname Tan rang some bells, and with Cheong thrown into the mix, this points to Southeast Asia, specifically Malaysia, Singapore, Indonesia and some neighbouring countries where these surnames are common among the Chinese diaspora. You're more likely to find a Tan or a Cheong in Southeast Asia and places outside China, a Cheung in HK, and often 张 (Zhang) in mainland China.
What IP addresses were the commits and comments from? Tor/VPN IPs? bot farm IPs?
It's not a supply chain attack when your "suppliers" are literally volunteers (or, in this case, malicious actors pretending to be volunteers) with whom you have literally no business relationship whatsoever. You are in essence just using stuff you found for free on the internet. Big businesses go crying that their "supply chain" was compromised in the hope that they can convince volunteers to do even more work for free.
This sort of thing is exactly why basically all free software on the internet is distributed with text similar to this:
The biggest takeaway from this I think is that volunteer maintainers should be more direct at politely telling choosing beggars to please fuck off. You can do this even if you aren't directly involved in maintenance. Anyone on the xz-devel mailing list could have told "Jigar Kumar" or "Dennis Ens" to kindly go fuck themselves when they posted shit like:
or
But nobody did.
