Case Study: The XZ Utils Backdoor (CVE-2024-3094)

(the original oss-security disclosure and follow-up analyses) before publishing.

In early 2024, a backdoor was discovered in XZ Utils, the xz/liblzma compression library that ships in virtually every Linux distribution. It was one of the most sophisticated supply-chain attacks ever caught.

What happened

How it was caught

Why it's the canonical example

What defenders learn

How Verifi watches for this →