Open source software has a long history of collaboration, transparency, and a perspective that technology can make the world better. And for the most part, this has been the case. Open source software is ubiquitous and underpins the foundation of nearly every piece of technology in use. However, these ideals also make open source software prime for exploitation, as we see with XZ Utils.
What is XZ Utils?
XZ Utils provides data compression and decompression on nearly all Unix-like operating systems, including Linux. A Microsoft developer was benchmarking another software when he noticed something unusual. This prompted him to look at the open source logs and eventually discovered that malicious code had been added. The code could be modified to steal encryption keys, install malware, or any other malicious action. Upon further digging, it was discovered that the creation of this backdoor for malicious code had been years in the making.
A user by the name of JiaT75 began working with XZ Utils in January 2023. Over time, using social engineering and possibly other fake accounts to pressure the single maintainer, they gained more influence and exerted more control over the product. It is not known (and may never be known) if JiaT75 is an individual, a completely fabricated persona, and/or is supported by the government of another nation with ill intent.
At Xtern, we participate in and support the open source community. However, we vet all open source software thoroughly prior to use. And we have a complete list of open source software packages that are approved for use. This will help ensure that we continue to participate responsibly within the open source ecosystem.
References:
https://redis.com/blog/redis-adopts-dual-source-available-licensing/
https://opensource.org/license/bsd-3-clause
https://mastodon.social/@AndresFreundTec/112180406142695845
https://tukaani.org/xz-backdoor/
https://boehs.org/node/everything-i-know-about-the-xz-backdoor