The xz utils compromise: a 29-month timeline of patience and a 5-hour exposure window

On March 29, 2024, Andres Freund — a Microsoft engineer — noticed that SSH logins on his Debian testing system were taking 500ms longer than expected. He traced the anomaly to liblzma, a compression library. That library was part of xz-utils, a near-universal component in Linux distributions. He found a backdoor that had been hidden in plain sight for months.

Timeline (abbreviated)

October 2021 — The attacker arrives. A GitHub account submits a benign patch to the xz-utils mailing list. It is accepted. This is the beginning of a 29-month social engineering operation.

2022 — Building trust. The account continues contributing useful patches, responding to issues promptly.

January 2023 — Jia Tan gains commit access. The attacker now has the ability to publish releases.

2023 — Infrastructure changes. Changes to build infrastructure — modifications to autoconf scripts, additions to the release tarball generation process. Many changes are not reflected in the source repository.

February 2024 — The backdoor is planted. Version 5.6.0 is released. The release tarball contains obfuscated malicious code that modifies the behavior of liblzma when loaded by systemd-linked processes.

March 29, 2024 — Discovery. Freund investigates, finds the backdoor, and publishes his findings.

Why existing tools didn't catch it

Source code review: The malicious code was not in the Git repository. It appeared only in the release tarballs.

Dependency scanners: Version 5.6.0 had no CVEs when it was published.

What Veln would have caught

Veln Lens — binary blob detection: The malicious payload was embedded in files within the tarball. Veln Lens runs binary magic byte detection on all files in a tarball regardless of their extension.

Cooling period: No package version is auto-installed within the first 2 hours of publication without passing trust thresholds.

Veln's binary blob detection would have blocked the xz utils attack at install time.