In modern cybersecurity, we have moved beyond simple perimeter defense. We operate within a digital nervous system where trust is our greatest vulnerability. The xz Utils incident (CVE-2024-3094) is often reduced to a “supply chain attack,” but that label understates the technical sophistication involved. What makes this case remarkable is not just that a backdoor was planted — it is how: manipulating the GNU build system, hijacking the dynamic linker, and hooking OpenSSH’s RSA verification to create a selective, signature-gated root implant.

This write-up breaks down the technical execution of the attack and the architectural lessons it forces on every organization that depends on open-source software — which is to say, every organization.

The Foundation: LZMA and the Ubiquity of liblzma

The xz project implements LZMA (Lempel-Ziv-Markov chain Algorithm), a high-ratio compression algorithm. In the Linux ecosystem, liblzma is a near-universal dependency — present on virtually every distribution.

The attack did not target the compression logic. Instead, it exploited the linking chain between liblzma and sshd. On many systemd-based distributions, sshd links to libsystemd, which in turn links to liblzma. This transitive dependency allowed a “compression library” to gain residency inside the OpenSSH process memory space — a position no one expected it to occupy offensively.

The Infiltration: Build-System Manipulation as an Attack Vector

The attacker — operating under the identity “Jia Tan” over a multi-year social engineering campaign — did not commit a backdoor to the source code. That would be visible in code review. Instead, they compromised the distributed tarballs by manipulating m4 macros and the configure script — artifacts that most reviewers and automated tools never inspect.

The Multi-Stage Payload

The backdoor was delivered in several obfuscated stages, each designed to evade a different layer of review:

Stage 0 — Build-time gate. Malicious m4 macros were injected into the build system. These macros performed environment checks: is the target architecture x86-64 Linux? Is it being built as part of a Debian or RPM package? If not, the build proceeded normally — the backdoor simply did not activate, reducing the chance of discovery in development or CI environments.

Stage 1 — Payload extraction. During configure execution, a hidden script extracted what appeared to be a corrupt test file (bad-3-corrupt_lzma2.xz). It was not corrupt. It was a carefully compressed script that modified the Makefile — injecting build instructions that would execute in the next phase.

Stage 2 — Object injection. During make, the modified Makefile injected a pre-compiled object file into the linking stage of liblzma. This object contained the runtime backdoor code. Because it entered at link time rather than compile time, it was invisible to source-level SAST tools and code review.

The elegance here is layered evasion: the payload survived in “test data,” activated only on specific build targets, and entered the binary through the linker rather than the compiler.

Hijacking the Runtime via IFUNC

The core of the backdoor exploited IFUNC (Indirect Functions), a feature of the GNU C Library (glibc).

IFUNC allows developers to define multiple implementations of a function — optimized for different CPU architectures, for example — and lets the dynamic linker choose the best version at runtime by calling a resolver function during library initialization.

The backdoor hijacked the IFUNC resolver for lzma_alloc. When the dynamic linker resolved this symbol, it executed the malicious resolver code before the application had even started. This code then walked the Global Offset Table (GOT) and the Procedure Linkage Table (PLT) to locate the address of RSA_public_decrypt within the sshd process — and replaced it with a hooked version.

This is what makes IFUNC particularly dangerous as an attack surface: resolver code runs at load time, with the full privilege of the host process, and is rarely monitored or sandboxed.

The Kill Chain: RSA Hooking and Signature Verification

Once the backdoor hooked RSA_public_decrypt, it did not simply open the door to everyone. It was designed to be exclusive — a targeted implant, not a mass exploit.

  1. Intercepting the key. When a user attempts SSH public-key authentication, the backdoor intercepts the public key being presented.
  2. Ed448 signature check. The malicious code searches for a hidden command embedded in the key data, signed with an Ed448 private key known only to the attacker. Ed448 was a deliberate choice — a modern, high-security curve that ensured no one could forge commands without the attacker’s specific key material.
  3. Conditional execution. If the Ed448 signature validates, the backdoor executes the embedded command via system()with root privileges, since sshd runs as root. If the signature is invalid or absent, the backdoor falls through to the original RSA_public_decrypt, and authentication proceeds normally.

The result: normal SSH logins work as expected, standard monitoring sees nothing unusual, and only the attacker — holder of the Ed448 private key — can activate the implant. No logs. No failed logins. No alerts.

Why 500ms Changed Everything

The attack was discovered by Andres Freund, a PostgreSQL developer who noticed that sshd processes were consuming abnormal CPU time during login — causing roughly a 500ms delay per connection attempt. This overhead came from the backdoor’s string-matching and decryption logic executing on every inbound connection, whether or not it carried a valid command.

For a performance-obsessed systems engineer, 500ms on an SSH handshake is a smoking gun. For the rest of the world, this was nearly the end of secure remote access to the majority of Linux servers on the internet.

Had the backdoor been slightly more efficient — had it added 50ms instead of 500ms — it is an open question whether it would have been caught before reaching stable distribution releases.

Strategic Resilience: Lessons for Defense

The xz incident proves that binary transparency is just as important as code transparency. Reviewing source code is necessary but insufficient when the build pipeline itself is the attack surface. Defense-in-depth must now include:

Vet the build pipeline, not just the source

Trusting git diff is no longer enough. The malicious payload existed in tarball-only artifacts (m4 macros, pre-built test files) that were absent from the version-controlled source. Distributions must verify that release tarballs are reproducibly generated from the tagged source — or stop distributing tarballs entirely.

Implement hermetic builds

Build environments should have no network access and produce bit-for-bit reproducible output. If the same source, toolchain, and configuration always produce the same binary, any divergence becomes a detectable anomaly. Projects like Reproducible Builds have been advocating this for years — xz is the case study that proves why.

Monitor for runtime hooking

Use eBPF to monitor for unexpected GOT/PLT modifications, IFUNC resolver anomalies, or function-pointer overwrites at the kernel level. Traditional endpoint detection rarely instruments the dynamic linker — but that is precisely where this attack lived.

Demand SBOMs with transitive depth

A Software Bill of Materials that lists direct dependencies is table stakes. The xz case shows that the threat lives in transitive dependencies of build tools — a compression library pulled in through systemd, weaponized at link time. SBOMs must cover the full dependency graph, including build-time-only components.

Address the maintainer problem

“Jia Tan” gained commit access through a years-long social engineering campaign against a solo, overworked maintainer. This is not an anomaly — it is the default state of critical open-source infrastructure. Funding, co-maintainership, and succession planning for key projects are security controls, not community niceties.

Conclusion

The xz Utils backdoor was a wake-up call. It demonstrated that a single compromised maintainer of a “boring” compression library can become the single point of failure for the entire internet. The attack was discovered not by any security tool, audit process, or code review — but by one engineer who noticed a half-second lag.

Our resilience depends on our ability to audit what we have collectively decided is too mundane to audit, and to question the trust we have blindly extended to the hidden gears of our infrastructure.

References

  • CVE-2024-3094. National Vulnerability Database. nvd.nist.gov
  • Andres Freund. Backdoor in upstream xz/liblzma leading to SSH server compromise. openwall.com/oss-security
  • Red Hat. Urgent security alert for Fedora 41 and Rawhide users — understanding the xz incident. redhat.com
  • Wikipedia. XZ Utils backdoor — detailed timeline and technical analysis. en.wikipedia.org
  • Reproducible Builds. reproducible-builds.org — the project working to make binary transparency practical.