Malicious code has been detected in xz Utils that appears to be intended to create a backdoor in sshd. xz Utils is a common compression utility used in many Linux distros including Debian and Red Hat. according to a researcher from Analygence the malicious versions of xz Utils were not added to production versions of Linux so impact was limited.
The malicious changes were made by one of the main xz Utils developers with years of contributions to the project. This is another scary supply-side attack where the attack vector is not a vulnerable service needing to be updated, rather the update is the attack vector, or the attack vector is baked into the OS.
Research is still being done to determine exactly how the malicious code provide access and at what level.
More details are available here!