In a detailed timeline, the xz open source attack conducted by an attacker named “Jia Tan” is outlined. Over the course of two years, Jia Tan managed to insert a hidden backdoor into the liblzma component of the xz compression library, which was a dependency for OpenSSH sshd on many Linux systems. This allowed unauthenticated, targeted remote code execution, marking a significant moment in open source supply chain security. The attack involved subtle social engineering tactics and strategic code changes to go undetected. The attack was publicly disclosed on March 29, 2024, illustrating the vulnerability of widely used open source software.
https://research.swtch.com/xz-timeline