Andres Freund discovered a backdoor in the upstream xz/liblzma package that compromised ssh servers after observing odd symptoms on Debian sid installations. The backdoor was found in the distributed tarballs, injecting an obfuscated script that modified certain files. The backdoor affected systems targeted x86-64 Linux and glibc-based systems. The impact was observed in slowed logins via ssh. The injected code intercepted execution by replacing certain functions and redirected a crucial symbol to its own code. Upgrading vulnerable systems is recommended. The issue was reported to CISA, and Red Hat assigned it CVE-2024-3094. A script to detect vulnerability was provided by Vegard Nossum.
https://www.openwall.com/lists/oss-security/2024/03/29/4