1. The same source contributor, who is the "author" of the XZ backdoor commits has HUNDREDS of commits in multiple software, incl. libarchive which is integrated into Windows 11 (H2/23 builds)

2. The installed SSH Backdoor is crypto key'd, so only the actor can actually use it (<- exclusive backdoor, this is classic gov actor style)

3. PenTest/InfoSec people point out: the commits were not widely deployed (attack surface was limited, as caught early ). Even with backdoor installed, most institutions have intrusion detection, and other monitoring, and they don't allow random SSH connections -> this would have been limited attack surface

4. Whoever pulled this off, played a long game, months in planning and execution, involving also social engineering.

=> Sounds like a precursor scripted event for the coming CYBER-EVENT of 2024, when Internet goes down and billions of devices are affected => all the cry for authoritarian Internet / Digi-ID control.

PS All the build / test cases for most secure FOSS software will be updated to reflect this attack (no binaries, symbol removal, obfuscation, no funny make file additions, etc). This will INCREASE overall the security of FOSS software in the long run, it'll just take some time for the changes into protocols, methods and rules to percolate downstream to projects.

Some sources:

https://research.swtch.com/xz-script

https://cyberplace.social/@GossiTheDog/112202967577254451

https://github.com/R4GN4R0K-SEC/xzbot

https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html

https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/

https://news.ycombinator.com/item?id=39895344

https://www.youtube.com/watch?v=0pT-dWpmwhA&t=1158s

https://www.youtube.com/watch?v=bS9em7Bg0iU