Father
Professional
- Messages
- 2,602
- Reaction score
- 760
- Points
- 113
How long will it take security researchers to identify projects affected by the February compromise?
A recent discovery by Phylum researchers sheds light on a major security challenge facing the open source software community.
As it turned out, the liblzma-sys package, widely used by Rust developers, leaked malicious test files related to a backdoor in the XZ Utils data compression tool, which the entire Internet was booming about at the end of last month.
The liblzma-sys package, downloaded more than 21,000 times, provides Rust developers with access to the liblzma implementation, a library that is part of XZ Utils. Version 0.3.2 of this package was affected.
As reported on the issue page on GitHub, opened on April 9, "the current distribution (v0. 3. 2) is at Crates.io contains test files for XZ that include a backdoor." We are talking about the files "tests/files/bad-3-corrupt_lzma2. xz" and "tests/files/good-large_compressed.lzma".
After responsible disclosure, these malicious files were removed from liblzma-sys in version 0.3.3, released on April 10. However, the previous version of the package was completely removed from the registry Crates.io.
As the Snyk researchers explained, although malicious test files were uploaded to the main liblzma-sys repository, due to the lack of malicious build instructions, they were never called or executed.
The backdoor in XZ Utils was first discovered at the end of March this year, when Microsoft engineer Andres Freund identified malicious commits in the XZ command-line utility affecting versions 5.6.0 and 5.6.1 released in February and March. XZ Utils is a popular package integrated into many Linux distributions.
According to research by SentinelOne and Kaspersky Lab specialists, changes in the source code were aimed at bypassing SSH authentication tools for remote code execution, which could allow attackers to take control of the system.
Earlier, we reported that behind the introduction of a backdoor in XZ Utils is a certain Jia Tan, whose identity could have been invented and used by one of the hacker groups sponsored by China or any other country with its own interests.
The discovery of malicious files in liblzma-sys was an important event that prevented potentially serious consequences for both the developer community and end users. However, this incident also once again showed the vulnerability of popular open source projects to targeted attacks by attackers seeking to inject malicious code into the software supply chain.
A recent discovery by Phylum researchers sheds light on a major security challenge facing the open source software community.
As it turned out, the liblzma-sys package, widely used by Rust developers, leaked malicious test files related to a backdoor in the XZ Utils data compression tool, which the entire Internet was booming about at the end of last month.
The liblzma-sys package, downloaded more than 21,000 times, provides Rust developers with access to the liblzma implementation, a library that is part of XZ Utils. Version 0.3.2 of this package was affected.
As reported on the issue page on GitHub, opened on April 9, "the current distribution (v0. 3. 2) is at Crates.io contains test files for XZ that include a backdoor." We are talking about the files "tests/files/bad-3-corrupt_lzma2. xz" and "tests/files/good-large_compressed.lzma".
After responsible disclosure, these malicious files were removed from liblzma-sys in version 0.3.3, released on April 10. However, the previous version of the package was completely removed from the registry Crates.io.
As the Snyk researchers explained, although malicious test files were uploaded to the main liblzma-sys repository, due to the lack of malicious build instructions, they were never called or executed.
The backdoor in XZ Utils was first discovered at the end of March this year, when Microsoft engineer Andres Freund identified malicious commits in the XZ command-line utility affecting versions 5.6.0 and 5.6.1 released in February and March. XZ Utils is a popular package integrated into many Linux distributions.
According to research by SentinelOne and Kaspersky Lab specialists, changes in the source code were aimed at bypassing SSH authentication tools for remote code execution, which could allow attackers to take control of the system.
Earlier, we reported that behind the introduction of a backdoor in XZ Utils is a certain Jia Tan, whose identity could have been invented and used by one of the hacker groups sponsored by China or any other country with its own interests.
The discovery of malicious files in liblzma-sys was an important event that prevented potentially serious consequences for both the developer community and end users. However, this incident also once again showed the vulnerability of popular open source projects to targeted attacks by attackers seeking to inject malicious code into the software supply chain.
