This upstream supply chain security attack is the kind of nightmare scenario that has gotten people describing it called hysterical for years.

It’s real. Sleep well.

backdoor in upstream xz/liblzma leading to ssh server compromise

openwall.com/lists/oss-secu…

The obfuscated backdoor was found by someone who noticed and looked into performance degradation, basically out of sheer luck. We’re all lucky it got caught at all, and as soon as it did. It would have been much worse if it had kept on for longer

mastodon.social/@AndresFreundT…

It’s beautiful 🥲

There was some serious time and dedication put into this attack, honestly. Talk about playing the long game

Open source maintainer burnout is a clear and present security danger. What are we doing about that?