[throw0101c]

> The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal.

Various discussions on this backdoor (in rough chronological order):

* Backdoor in upstream xz/liblzma leading to SSH server compromise:† https://news.ycombinator.com/item?id=39865810

* What we know about the xz Utils backdoor that almost infected the world: https://news.ycombinator.com/item?id=39891607

* How the XZ Backdoor Works: https://news.ycombinator.com/item?id=39911311

* The xz sshd backdoor rabbithole goes quite a bit deeper: https://news.ycombinator.com/item?id=39956455

* XZ backdoor story – Initial analysis: https://news.ycombinator.com/item?id=40017310

† Original report, AFAICT.

[r721]

>XZ backdoor story – Initial analysis

Here are parts 2 and 3 (weren't discussed on HN):

>Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)

https://securelist.com/xz-backdoor-story-part-2-social-engin...

>Part 3: XZ backdoor. Hook analysis

https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007...

[Bluestein]

Something tells me that somewhere deep in a millitary facility somewhere, somebody is getting court marshalled, if not downright worse (after having been found out, I mean ...)

  PS. Or some "unaffiliated" group somewhere is getting their SOF cut off ...