Linux is full of small pieces of software, developed by tiny teams (sometimes a single person), that do important things in the OS.
XZ is one of those pieces of software, it handled compression (think like zip on windows) and was developed by just a single person.
A couple of years ago people on forums (now thought to be linked to the hacker) started complaining at him for being too slow to update it. Then the main attacker, Jia Tan, came in and offered to help with the project. This isn’t unusual in open source.
So Jia Tan is doing a good job keeping xz updated for a few years and the main developer is so happy with their work they let them push new versions out.
However Jia Tan had very cleverly hidden a hack in the download file. It modifies the remote access software that Linux comes with to add their own secret user to it.
So if this hadn’t been found as quickly as it was the hacker could have logged in to any Linux system using the hacked xz version.
Latest Answers