xz utils (Tukaani Project): CVE-2024-3094 — multi-year social-engineering attack inserts backdoor into xz/liblzma
A threat actor operating under the pseudonym "Jia Tan" gained maintainer access to the xz utils project over a 2-year campaign and inserted a backdoor into liblzma that targeted OpenSSH on systemd-linked Linux distributions. Caught accidentally by a Microsoft engineer noticing 500ms latency in SSH connections.
1 of the 4 practices that failed in this incident is part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.
This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →
Impact
Backdoor would have provided remote code execution to virtually every internet-facing Linux server had it shipped to stable releases. Caught before broad distribution by chance — worst-case prevented narrowly.
Root cause (from published RCA)
The xz utils project had a single overworked maintainer. A second contributor ("Jia Tan") spent ~2 years building trust through legitimate contributions, was granted commit access, and used that access to introduce build-system modifications that selectively injected malicious code into liblzma during the build process. The malicious payload was hidden in test fixtures and only activated by specific build configurations.
Concordance protocols that map to this root cause
Click any protocol to see every other indexed incident where it failed.
Primary sources
Related incidents
Other incidents that failed at least one of the same protocols.