The story is reminiscent of a criminal case: A hacker with the pseudonym “Jia Tan” managed to gain the trust of the legitimate developer of the tool in question over a period of months in order to make the manipulated code changes. The New York Times likens Freund’s discovery process to a baker smelling bread and realizing that something is wrong with the entire world’s yeast supply.
The BSI classifies the threat as “business-critical” and warns of significant impacts on normal operations if the manipulated versions of “XZ Utils” are in use. Versions 5.6.0 and 5.6.1 are particularly affected. System administrators are now encouraged to check their Linux systems and take appropriate security measures.