DataSCG

Your Trusted Cybersecurity and Cloud Partner

The Backdoor That Nearly Compromised the Internet

The Foundations: we take for granted

  • The modern internet runs on hundreds of millions of servers.
  • Over 70% of web servers globally run on Linux, more than 1.8 billion websites are hosted on Linux-based servers.
  • The Linux operating system is structured in layers, comprising the Kernel (core hardware management), System Libraries (user-space access to kernel functions), and System Utilities (specialised management tasks)
  • One such utility is XZ Utils, which provides compression and decompression through its core library – liblzma. They are included in many Linux distributions out of the box, are very popular with developers, and are used extensively throughout the Linux ecosystem.

What if the XZ Utils had a backdoor built in, and no one knew about it when they run their version of Linux? It’s like having a master key that can open every hotel room.

The Hack: a masterclass in supply-chain infiltration

It is now known as the “.xz hack”, a sophisticated supply-chain attack (CVE-2024-3094) discovered in March 2024, where a backdoor was inserted into the xz data compression library (versions 5.6.0 and 5.6.1). It targeted Linux systems by compromising the liblzma library, allowing unauthorised remote access via OpenSSH.

The attacker gained the maintainer trust over two years, and gained the co-maintainer rights to inject malicious code into the legitimate xz utils software.

It seems that as part of the effort to gain these permissions, the attacker used an interesting form of social engineering: They used fake accounts to send myriad feature requests and complaints about bugs to pressure the original maintainer, eventually causing the need to add another maintainer to the repository. After contributing to the code for approximately two years, in 2023 the attacker introduced a few changes to XZ Utils that were included as part of release 5.6.0. Among these changes was a sophisticated backdoor.

The Discovery: a 500ms clue

Software developer Andres Freund discovered the backdoor while investigating slow SSH logins, a 500 ms latency issue that was introduced after a software update, Andres was able to trace the issue back to the XZ package and ultimately identify the backdoor.

This backdoor almost became one of the most significant intrusion enablers ever — one that would have dwarfed the SolarWinds backdoor. The attackers were almost able to gain immediate access to any Linux machine running an infected distro, which includes Fedora, Ubuntu, and Debian. The backdoor already in the packages released in testing and development environments, almost made to the releases for main production globally.

The Lessons: beyond the basics

This hack obviously raises a lot of concerns. We got lucky. If this backdoor was not detected by a curious engineer, how long would it have remained active? What would happen if the back door made to the production release? The hacker would have the master key to access all affected Linux servers, simply disable all web servers, destroying the internet as we know it.

The hacker(or a team of hackers) showed incredible patience, sophistications and persistence, well played a social engineering tactic against the maintainer who is merely an enthusiastic volunteer, created a great tool for the world to use, but lacking energy and money to maintain it in long term.

The hack reveals deeper systemic lessons for tech leaders, security teams, and the open-source community.

  • Trust is an attack surface. We often regard contributor trust as a social metric, however it should be regarded as a security boundary. Long-term infiltration attacks are becoming more common because they:
    • Avoid security detection systems
    • Exploit human burnout
    • Target governance weakness
  • Open-source maintainer burnout is a security risk. In this incident, the original maintainer was not negligent, he was just exhausted. When a single volunteer maintains a dependency embedded in millions of systems, that is not just a sustainability problem, it is a critical security issue. Open-source needs:
    • Financial backing for critical dependencies
    • Shared stewardship models
  • Open-source supply chain security must move upstream. Security reviews often focus on application code, runtime vulnerabilities and network exposure. But modern attacks shifting upstream, targeting build systems, package pipelines, dependency graphs and maintainer access controls as demonstrated in the hack.
  • Social engineering has evolved. The hack wasn’t a simple phishing. It was a multi-year campaign focused on reputation farming, identity shaping and psychological pressure. That’s a new frontier of open-source exploitation. Security governance framework needs to avoid single-maintainer bottlenecks, and requiring transparent identity verification for privileged roles.
  • Observability is key. The hack was caught because a curious engineer noticed a 500ms latency. Security risk is often discovered in unexpected telemetry.

Final Thought

Linux and open-source remain among the most secure and innovative foundations in computing history. But this hack was a wake-up call. It reminds us that the most dangerous security risks – backdoors, they aren’t forced open. They’re invited in — slowly, patiently, and politely.

Related Post

Search

Latest Posts