Malware News Red Hat warns of backdoor in XZ tools used by most Linux distros


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Today, Red Hat warned users to immediately stop using systems running Fedora development and experimental versions because of a backdoor found in the latest XZ Utils data compression tools and libraries.

"PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity," Red Hat warned on Friday.

"No versions of Red Hat Enterprise Linux (RHEL) are affected. We have reports and evidence of the injections successfully building in xz 5.6.x versions built for Debian unstable (Sid)."

Debian's security team also issued an advisory warning users about the issue. The advisory says that no stable Debian versions are using the compromised packages and that XZ has been reverted to the upstream 5.4.5 code on affected Debian testing, unstable, and experimental distributions.
Red Hat is now tracking this supply chain security vulnerability as CVE-2024-3094, assigned it a 10/10 critical severity score, and reverted to 5.4.x versions of XZ in Fedora 40 beta.

The malicious code is obfuscated and can only be found in the complete download package, not in the Git distribution, which lacks the M4 macro, which triggers the backdoor build process.

If the malicious macro is present, the second-stage artifacts found in the Git repository are injected during the build time.

"The resulting malicious build interferes with authentication in sshd via systemd. SSH is a commonly used protocol for connecting remotely to systems, and sshd is the service that allows access," Red Hat said.

"Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely."

CISA also published an advisory today warning developers and users to downgrade to an uncompromised XZ version (i.e., 5.4.6 Stable) and to hunt for any malicious or suspicious activity on their systems.


Level 4
May 29, 2023
The upstream GitHub repository of xz-utils is now disabled.

This repository has been disabled.​

Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service. If you are the owner of the repository, you may reach out to GitHub Support for more information.​
Quote from Arstechnica:
The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.
On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.
“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.
One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.
“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."
Last edited:


Level 26
Top Poster
Aug 17, 2017
Firmware security firm Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. CVE-2024-3094 is a supply chain compromise in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions.

Late last month, Microsoft engineer Andres Freud discovered the backdoor in the latest version of the XZ Utils package while investigating unusually slow SSH logins on Debian Sid, a rolling release of the Linux distribution.

The backdoor was introduced by a pseudonymous contributor to XZ version 5.6.0, which remained present in 5.6.1. However, only a few Linux distributions and versions following a "bleeding edge" upgrading approach were impacted, with most using an earlier, safe library version.

ForgottenSeer 109138

  • Like
Reactions: vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.