Evan Boehs has provided a detailed analysis and timeline of the xz Utils backdoor.
Evan has gone in detail into the why of the compromise, how the threat actor leveraged the culture of the open source software community to gain the trust and experience needed to attempt rolling a malicious backdoor out to a very large number of Linux systems that would have allowed them arbitrary remote code execution.
This supply-side attack could have been potentially disastrous if it had been more successful and was deployed without being detected ahead of time. Hopefully this will spark some discussion on how to better secure open-source repositories against this type of attack in the future. Perhaps better vetting and peer-reviewing is needed on contributors and contributions respectively.
Evan’s writeup is available here and additional detailed information about the backdoor is also available here!
Relevant CVE-2024-3094: