A well-planned and long-prepared attempt to embed malicious code into the Linux XZ Utils package has emerged as one of this year’s most significant stories in the open-source community.
This sophisticated attack aimed to enable remote unauthorized access via SSH, potentially affecting a broad spectrum of Linux distributions. Unfortunately, this incident casts a shadow over the ecosystem, marking a moment that will be discussed for years.
Consequently, GitHub temporarily disabled access to the XZ Utils repository 24 hours following its discovery. However, access has since been restored, and the repository is again open for developers looking to commit code.
Additionally, Lasse Collin, one of the lead developers involved, has had his account unbanned after a recent ban pending further investigation. However, what captures more attention is the status of the JiaT75 (Jia Tan) account, which is the main suspect in the intentional backdoor breach.
As anyone can see, the account remains included in the list of XZ Utils contributors on GitHub. The man who spent more than two years dedicating himself with remarkable patience and diligence to contributing code (permanently, as it turns out, through a VPN connection) aimed to build trust before striking his final blow.
So, who is JiaT75? Well, that’s the million-dollar question that even the world’s leading cybersecurity experts still cannot answer. The consensus leans towards Jia Tan being a facade for a nation-state actor, a phantom identity masking a collective of individuals.
According to information posted on X by Andy Greenberg, a senior writer for WIRED covering hacking, cybersecurity, and surveillance:
“We dug into the mystery of ‘Jia Tan,’ the polite, conscientious volunteer coder who inserted a surprisingly sophisticated backdoor into XZ Utils—and is most likely the persona of a state-sponsored hacking group based in an Eastern European time zone.”
Having prepared for years, this group nearly executed what might have been the biggest breakthrough in Linux, which, thanks to the software engineer at Microsoft, Andres Freund, did not take place.
Despite the challenges, however, there’s always a silver lining. First, the code contributed to the open-source ecosystem will be handled with greater caution. Secondly, jokingly or not, from this point forward, contributing code and communicating with the project’s coworkers through an established VPN connection will inevitably trigger a big red alert.
At the same time, GitHub’s XZ Utils repository and the account of its lead developer, Lasse Collin, have been unblocked, allowing work on the project to continue.
