A popular Rust crate, liblzma-sys, has been found to contain test files associated with the XZ Utils backdoor, according to new findings from Phylum. The crate, downloaded over 21,000 times, provides Rust developers with bindings to the liblzma implementation, a part of the XZ Utils data compression software. The impacted version, 0.3.2, included these malicious test files.
Phylum noted in a GitHub issue that the current distribution on Crates.io contains the backdoor-containing test files. These files were not included in the .tar.gz or .zip tags on GitHub but were present in the liblzma-sys_0.3.2.crate installed from Crates.io. Following responsible disclosure, the files were removed from version 0.3.3 of liblzma-sys, released on April 10, and the previous version was pulled from the registry.
The researcher commented that while the malicious test files were committed upstream, the malicious build instructions were not present in the upstream repository, so they were never called or executed.
The backdoor in XZ Utils was discovered in late March by Microsoft, impacting versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The malicious commits, made by a now-suspended GitHub user named JiaT75 (aka Jia Tan), enabled the circumvention of authentication controls within SSH to execute code remotely, potentially allowing the operators to take over the system.
According to the researchers, the actor began contributing to the xz project in October 2021, gradually gaining reputation and trust within the community. The trojanized changes involved a multi-stage operation, modifying the source code of the build infrastructure to extract a malicious binary component that was linked with the legitimate library during the compilation process.
The backdoor slipped into liblzma aims to manipulate Secure Shell Daemon (sshd) to monitor for commands sent by an attacker at the start of an SSH session, introducing a way to achieve remote code execution. While the early discovery of the backdoor averted a widespread compromise of the Linux ecosystem, it underscores the targeting of open-source package maintainers by social engineering campaigns for software supply chain attacks.
To protect against similar compromises, developers should carefully review the dependencies of their projects and only use packages from trusted sources. Regularly monitoring for security advisories and promptly applying updates to vulnerable dependencies can help mitigate the risk of using compromised libraries. Additionally, using tools like static code analysis and dependency vulnerability scanners can help identify potential security issues in third-party dependencies.