A sophisticated software supply chain attack targeting the open-source community has been uncovered, revealing a years-long effort to compromise Linux distributions such as Debian and RedHat. The breach, described as a "nightmare scenario" by experts, involved a contributor making suspicious changes to the libarchive project in 2021, replacing the safe_fprint function with a less secure variant, unnoticed at the time. This attack, which could have been disastrous for the IT industry and customers, was aimed at embedding malicious code into software that runs on nearly all publicly accessible internet servers. The discovery of the backdoored package, xz, used in nearly every Linux distribution, came just days after ENISA announced software supply chain attacks as the top cybersecurity threat for the next five years. Further investigations suggest that nation-state hackers could be behind this meticulously planned operation.
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code. https://t.co/cSo0Or46Ic
Malicious code embedded deep in a piece of software that runs on virtually all publicly accessible internet servers would have served as a “master key” for attackers to steal encrypted data. The most interesting part of the story is how it got there https://t.co/QZmqweA6LD 👇
Software supply chain attacks are now the top cybersecurity threat for the next five years. This announcement was made by ENISA just days prior to the accidental discovery of a backdoored package (xz) used in nearly every Linux distribution. Very prescient https://t.co/w5UqUuYUcB
The software at the heart of the internet is maintained not by giant corporations or sprawling bureaucracies but by a handful of earnest volunteers toiling in obscurity. A cyber-security scare in recent days shows how the result can be near-disaster https://t.co/zb84KWDp5M 👇
Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling. via @arstechnica https://t.co/xl4tgDCNos
Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling. https://t.co/8JBubMqur3
"In 2021, someone... made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time." https://t.co/ranyhyfO8a
"This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library": https://t.co/H4DNb3Y8lw #ethics #internet #cybersec #tech #research
"The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into #Debian and #RedHat, the two biggest distributions of #Linux": https://t.co/H4DNb3Y8lw #ethics #internet #cybersec #tech
In a software supply chain hack described as a “nightmare scenario” by multiple experts, a contributor to an open-source project used by most Linux distributions was responsible for the breach that was nearly disastrous for the IT industry and customers. https://t.co/Uy3dawEqUq