← Benteng/case studies
CVE-2024-3094OWASP A03 · Software Supply Chain FailuresCWE-506 Embedded Malicious CodeCVSS 10.0 Critical

xz-utils — supply-chain backdoor (nearly an SSH RCE)

A trusted maintainer slipped a hidden backdoor into a core Linux compression library.

What happened

Over two years a patient actor earned maintainer trust on xz-utils, then landed obfuscated code (hidden in test fixtures) that hooked sshd via liblzma, enabling remote code execution for whoever held a private key. It was caught by luck — a Microsoft engineer noticed sshd was ~500ms slower — days before it hit stable distros used by millions of servers.

The code

✕ VulnerableSupply chain
# Trusting a dependency because it's 'official' and popular
# build pulls the release tarball, runs its bundled build scripts,
# and never diffs the tarball against the git tree it claims to match
✓ FixedSupply chain
# Pin + verify: hash-lock every dependency, build from source you can
# reproduce, diff release tarballs vs the VCS tag, and minimize maintainer
# trust (multiple reviewers, signed commits). Watch for anomalies (that 500ms).
# For front-end CDN assets, use Subresource Integrity (SRI).
→ Detect this class with SRI checker (pin CDN assets by hash)

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.