Advanced

XZ Utils Backdoor: A Supply Chain Attack You Should Know About

The XZ Utils backdoor is a supply chain vulnerability — more precisely, a supply-chain-injected vulnerability — planted directly inside the open source project itself. Over a series of co...

XZ Utils is a general-purpose compression suite conceptually similar to .zip or 7-Zip: it takes files and shrinks them so they can be stored or transferred more efficiently. What makes XZ Utils unusual is not the compression algorithm itself, but its reach. The liblzma library that ships as part of XZ Utils is imported as a base-build dependency by nearly every major Linux distribution — Debian, openSUSE, Fedora, Red Hat, Kali Linux, and many others — because so many other system components rely on it for compression services.

That ubiquity is exactly what turned a single poisoned open-source library into a near worst-case supply chain event. A vulnerability injected into a component this foundational does not stay contained to one application; it rides along inside the base operating system image of a huge share of the Linux ecosystem.

This is not a traditional memory-corruption bug like a buffer overflow. It is a deliberately engineered backdoor, hidden in plain sight inside a project that thousands of downstream packages trust implicitly.

Sign in to read this course

A free account unlocks all 514 courses. 20 are readable without one.

What's inside

3 sections
  1. 1 Table of Contents
  2. 2 Module 1: The XZ Utils Supply Chain Backdoor
  3. 3 Summary

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.