Skip to content
← Blog

Attack post-mortem

The xz utils compromise: a 29-month timeline of patience and a 5-hour exposure window

Veln Team2 min read

On March 29, 2024, Andres Freund — a Microsoft engineer — noticed that SSH logins on his Debian testing system were taking 500ms longer than expected. He traced the anomaly to liblzma, a compression library. That library was part of xz-utils, a near-universal component in Linux distributions. He found a backdoor that had been hidden in plain sight for months.

Timeline (abbreviated)

October 2021 — The attacker arrives. A GitHub account submits a benign patch to the xz-utils mailing list. It is accepted. This is the beginning of a 29-month social engineering operation.

2022 — Building trust. The account continues contributing useful patches, responding to issues promptly.

January 2023 — Jia Tan gains commit access. The attacker now has the ability to publish releases.

2023 — Infrastructure changes. Changes to build infrastructure — modifications to autoconf scripts, additions to the release tarball generation process. Many changes are not reflected in the source repository.

February 2024 — The backdoor is planted. Version 5.6.0 is released. The release tarball contains obfuscated malicious code that modifies the behavior of liblzma when loaded by systemd-linked processes.

March 29, 2024 — Discovery. Freund investigates, finds the backdoor, and publishes his findings.

Why existing tools didn't catch it

Source code review: The malicious code was not in the Git repository. It appeared only in the release tarballs.

Dependency scanners: Version 5.6.0 had no CVEs when it was published.

What Veln would have caught

Packed-payload and hidden-binary signals: The malicious payload was embedded in files within the tarball. Veln's source-pattern signals flag native executables shipped inside a package, packed payloads, and binary blobs concealed in files with non-binary extensions — regardless of file extension.

Cooling period: Any version younger than the configured threshold (default: 2 hours) is held at the gate.

xz-utils is a deep-system component, not a normal npm/PyPI package, so the parallel is illustrative — but the same signal class (hidden binaries and packed payloads) is exactly what Veln catches when an npm or Python tarball ships an embedded native blob.

More in Attack post-mortem

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account