Good summary of the XZ Utils supply chain attack, by Sigi Goode

“… some previously unknown accounts popped up to report bugs and submit feature requests to Collin, putting pressure on him to take on a helper in maintaining the project. Jia Tan was the logical candidate.

Over the next two years, Jia Tan become more and more involved and, we now know, introduced a carefully hidden weapon into the software’s source code.

“The revised code secretly alters another piece of software, a ubiquitous network security tool called OpenSSH, so that it passes malicious code to a target system. As a result, a specific intruder will be able to run any code they like on the target machine.”

– Sigi Goode (4 April 2024). An anonymous coder nearly hacked a big chunk of the internet. How worried should we be?