<
https://www.techdirt.com/2025/09/04/why-powerful-but-hard-to-detect-backdoors-could-become-a-routine-problem-for-open-source-projects-because-of-ai/>
"Last year, Andres Freund, a Microsoft engineer, spotted a backdoor in xz
Utils, an open source data compression utility that is found on nearly all
versions of GNU/Linux and Unix-like operating systems.
Ars Technica has a
good report on the backdoor and its discovery, as well as a visualization by
another Microsoft employee, Thomas Roccia, of what
Ars calls “the nearly
successful endeavor to spread a backdoor with a reach that would have dwarfed
the SolarWinds event from 2020.” A post on
Fastcode revisits the hack, and
draws some important lessons from it regarding open source’s vulnerability to
similar attacks and how the latest generation of AI tools make those attacks
even harder to spot and guard against. It describes the backdoor’s technical
sophistication as “breathtaking”:
Hidden across multiple stages, from modified build scripts that only
activated under specific conditions to obfuscated binary payloads concealed
in test files, the attack hijacked SSH authentication through an intricate
chain of library dependencies. When triggered, it would grant the attacker
complete remote access to any targeted system, bypassing all authentication
and leaving no trace in logs."
Cheers,
*** Xanni ***
--
mailto:xanni@xanadu.net Andrew Pam
http://xanadu.com.au/ Chief Scientist, Xanadu
https://glasswings.com.au/ Partner, Glass Wings
https://sericyb.com.au/ Manager, Serious Cybernetics
