We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.Sponsored By:Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!Kolide: Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps.Support LINUX UnpluggedLinks:💥 Gets Sats Quick and Easy with Strike📻 LINUX Unplugged on Fountain.FMoss-security mailing list — Backdoor in upstream xz/liblzma leading to ssh server compromise.Fedora AnnouncementDebian AnnouncementUbuntu AnnouncementKali Linux AnnouncementArch Linux AnnouncementGentoo AnnouncementopenSUSE Tumbleweeed AnnouncementNixOS Unstable DiscussionWhy does it take two weeks for NixOS to replace xz?Andres Freund on Mastodon — I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc....rwmj on Hacker News — Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"A Microcosm of the interactions in Open Source projects — Make no mistake. This is the way it works. It needs to change.