Briefly: xz Revisited

xz and liblzma: Exhausted by the Destruction of Trust

Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack

XZ Utils Backdoor — Everything You Need to Know, and What You Can Do

A while ago on lobste.rs, I found a link to a preprint by Piotr Przymus and Thomas Durieux which gives a detailed rundown of the xz attack in which a malicious maintainer took over and added remote code execution capabilities.

It's a great paper, focusing purely on the technical aspects (the malicious maintainer, named elsewhere as Jia Tan, is not explicitly named in the paper), and provides an interesting, detailed breakdown of the exploit's timeline.

gemlog