Netfox
HomeQ&AAnti-ScamNotifications
© 2026 Netfox. All rights reserved.
Terms of ServicePrivacy PolicyAbout UsEditorial Policy
1
Technology

The XZ Utils Backdoor: How "Jia Tan" Infiltrated Linux

Galvin Prescott
Galvin Prescott
Mar 12, 20265 min
1
2
1
305
An investigation into the XZ Utils backdoor (CVE-2024-3094), detailing Jia Tan's multi-year social engineering campaign and the technical infiltration of Linux.

The Multi-Year Grooming of the Open-Source Supply Chain

The infiltration of XZ Utils (CVE-2024-3094) was not a quick hack but a patient, multi-year social engineering campaign. Starting around 2021, an entity using the pseudonym Jia Tan began contributing small, legitimate patches to the XZ project.

The attacker leveraged sockpuppet accounts—fake identities like "Jigar Kumar"—to harass the original maintainer, Lasse Collin. These accounts pressured Lasse Collin to hand over control, citing his slow response times due to mental health struggles. By 2023, Jia Tan had successfully gained "Co-Maintainer" status, granting them the authority to commit code directly to the repository and manage the release of new versions.



Weaponizing the Build Process via Binary Blobs


The technical brilliance of the backdoor lay in its obfuscation. Instead of placing malicious C code directly into the source files—where it might be caught by "the many eyes" of the open-source community—the attacker hid the payload inside "binary blobs." These are large, non-human-readable files typically used for testing compression algorithms.


A humorous comic strip about an anonymous individual supporting the entire digital infrastructure as we know it - Photo: xkcd/Randall MunroeA humorous comic strip about an anonymous individual supporting the entire digital infrastructure as we know it - Photo: xkcd/Randall Munroe


During the compilation process, a series of complex, hidden scripts in the m4 macro directory would extract the payload from these test files. The backdoor was specifically designed to target OpenSSH by intercepting the RSA public key decryption process. If a specific private key (held by the attacker) was used during an SSH login attempt, the backdoor would bypass authentication and grant the attacker root access to the server.




The "Goldilocks Zone" of Dynamic Linking


What competitors and standard news reports often skip is the precision required to hit the "Goldilock Zone" of the Linux Global Offset Table (GOT). The backdoor utilized a mechanism called an IFUNC (Indirect Function) resolver. This is a legitimate feature used to select the most efficient version of a function based on the user's hardware (e.g., Intel vs. AMD).


The attacker manipulated this resolver to run malicious code extremely early in the program's execution. By doing so, they could overwrite the memory address of the RSA_public_decrypt function before the system marked that memory as "read-only." This narrow window of time—after the function is mapped but before it is locked—is the only moment such a deep system hijack can occur without crashing the server.


Jia Tan's Github page (The XZ Utils Infiltration: A Masterclass in Long-Game Cyber Espionage)Jia Tan's Github page (The XZ Utils Infiltration: A Masterclass in Long-Game Cyber Espionage)


Timeline of the XZ Utils Infiltration


DateKey EventEntity Involved
2021-10-29First contribution from "Jia Tan" to XZ UtilsJia Tan
2022-05-19Sockpuppet accounts begin pressuring the maintainerLasse Collin
2023-01-07Jia Tan gains commit access to the repositoryGitHub
2024-02-24Malicious version 5.6.0 is releasedDebian / Fedora
2024-03-29Backdoor discovered due to a 500ms latency lagAndres Freund


Systemic Fragility of the Maintainer Ecosystem


This incident highlights a structural shift in how we perceive the security of the Linux ecosystem. The "Linus’s Law"—that with enough eyeballs, all bugs are shallow—failed here because the eyeballs were looking at the source code, while the bug was hidden in the build environment and binary data.


The cybersecurity sector now recognizes that the most critical infrastructure on the planet often rests on the shoulders of single, unpaid volunteers. This "Human Dependency" is a systemic risk that nation-state actors, potentially groups like APT29 (Cozy Bear), are now actively exploiting. The focus of security is shifting from "vulnerability scanning" to "provenance verification," ensuring that every line of code can be traced to a verified human identity.


The Future of Cryptographic Supply Chain Integrity


The discovery of the XZ backdoor by Andres Freund, a Microsoft engineer who noticed a mere 500-millisecond delay in SSH login times, was a stroke of incredible luck. Had the attacker optimized the code to be 20% faster, the backdoor might have migrated into Red Hat Enterprise Linux and stabilized for years.


The fallout is forcing a regulatory and technical pivot toward "Reproducible Builds" and mandatory Software Bill of Materials (SBOM) for critical utilities. However, as long as the global economy relies on open-source libraries maintained by burnt-out volunteers, the window remains open for the next sophisticated actor to play the long game.


References:


    

  • 

    The Internet Was Weeks Away From Disaster - Veritasium
    

    • 

  • 

    CVE-2024-3094 Detail - NIST
    

    • 

Comments (1)
Sort by
Please login to comment
Sign in to share your thoughts and connect with the community
Loading...
Related news
Learn about the cybersecurity measures and digital lockdown procedures implemented for US officials traveling to China for diplomatic missions.
How US Officials Manage Digital Security During China Visits
30 views•3 min
Federal prosecutors indicted Manuel G. Garcia for allegedly posting graphic death threats targeting South Dakota Gov. Kristi Noem and former AG Pam Bondi.
Man Indicted for Death Threats Against Noem and Bondi
66 views•2 min
FBI Director Kash Patel alleges a four-day delay in federal involvement in the Nancy Guthrie case. Sheriff Chris Nanos refutes claims of sidelined cooperation.
Kash Patel and Sheriff Nanos Clash Over Nancy Guthrie Case
69 views•4 min
Xiaomi's MiMo V2.5 Pro tops the GDPval-AA agentic benchmark with a score of 1578, outperforming Kimi K2.6 and DeepSeek V4 Pro in real-world work tasks.
Xiaomi MiMo V2.5 Pro Leads GDPval-AA Agentic Benchmarks
81 views•5 min
Google celebrates 20 years of Translate with a new interactive AI pronunciation tool and launches an experimental "Ask YouTube" conversational search feature.
Google Translate Adds AI Pronunciation Practice Tool
580 views•4 min
Turtle Beach's new Command Series peripherals feature customizable touchscreens for macro management and system monitoring. Discover the technical specs and release details.
Turtle Beach Command Series Touchscreen Peripheral Specs
79 views•3 min
Apple announces John Ternus will become CEO on September 1, 2026, while Tim Cook moves to Executive Chairman. An analysis of Apple's hardware-led future.
John Ternus Named Apple CEO as Tim Cook Shifts to Chairman
153 views•4 min
Anthropic Labs debuts Claude Design, a tool using Claude Opus 4.7 to generate interactive prototypes and design systems directly from existing codebases.
Anthropic Claude Design: Prototyping and Code Handoff Analysis
117 views•4 min
IEA Director Fatih Birol warns Europe has six weeks of jet fuel left as the Iran war blockades the Strait of Hormuz, threatening a two-year recovery period.
Europe Jet Fuel Shortage: IEA Warns of 6-Week Supply Limit
169 views•4 min
The DJI Osmo Pocket 4 introduces 4K/240p slow-motion and improved dynamic range. Here is how the hardware changes impact real-world vlogging and production.
DJI Osmo Pocket 4 Specs: 4K/240p and Improved Dynamic Range
89 views•3 min
Porsche reveals the 2027 911 GT3 S/C, combining the 510 PS naturally aspirated engine with a magnesium-ribbed automatic roof and 6-speed manual transmission.
2027 Porsche 911 GT3 S/C: Specs, Weight, and Analysis
135 views•5 min
Leaks suggest Apple will introduce a Deep Red finish for the iPhone 18 Pro, while Android manufacturers reportedly prepare similar shades for 2026.
iPhone 18 Pro Deep Red Color Leak and Android Response
90 views•3 min
US Treasury Secretary Scott Bessent convenes bank CEOs as Anthropic's Claude Mythos model demonstrates autonomous discovery of critical zero-day vulnerabilities.
Anthropic Mythos Prompts Treasury Meeting with Bank CEOs
276 views•5 min
GitButler, co-founded by GitHub’s Scott Chacon, raises $17M Series A to move software development beyond 20-year-old Git workflows and support AI collaboration.
GitButler Raises $17M to Redesign Version Control for AI
223 views•3 min
As Apple's M5 and Intel's Panther Lake arrive in 2026, the CPU is no longer the center of the chip. Discover how NPUs and specialized accelerators are taking over.
CPU vs NPU: The Shift to Specialized Silicon in 2026
162 views•4 min
Leaked specs for the MediaTek Dimensity 9600 reveal a 5GHz clock speed target, Arm Magni GPU, and TSMC N2p process for 2027 flagship smartphones.
MediaTek Dimensity 9600 Leaks: 5GHz and N2p Architecture
157 views•3 min
Jurors in the capital murder trial of former FedEx driver Tanner Horner viewed video of his confession regarding the 2022 death of 7-year-old Athena Strand.
Tanner Horner Trial: FedEx Driver Confession Video Shown
91 views•3 min
Apfel v0.7.2 wraps Apple’s FoundationModels framework in a Swift-based CLI and OpenAI-compatible server for private, 100% on-device AI inference on macOS.
Apfel: Accessing Local Apple Intelligence via CLI and API
151 views•5 min
Google launches Gemma 4, a new generation of open-source models built on Gemini technology. Learn about the technical specs, performance, and how to run it locally.
Google Gemma 4 Launch: Open-Source Models and Local Access
115 views•3 min
The Vivo X300 Ultra's Chinese launch reveals a significant price gap for international buyers. Explore the specs, import costs, and software limitations.
Importing the Vivo X300 Ultra: Costs, Specs, and Risks
128 views•4 min