An attempted sabotage of a widely used software tool has sparked concerns in Washington, D.C. about the vulnerability of the open-source supply chain and the potential involvement of foreign nation-states in covert operations.
A software engineer named Andres Freund, working at Microsoft, uncovered hidden malicious code within two versions of a popular open-source data compression tool on Friday, March 29. These compromised versions had already been incorporated into two editions of the widely used Linux operating system. This discovery initiated urgent efforts by security experts and government agencies to prevent the compromised code, known as Xz, from being exploited for spying or cyberattacks against Linux users. The U.S. government's primary civilian cybersecurity agency, CISA, promptly issued guidance on addressing the issue.
Swift actions and the targeted nature of the exploit likely averted widespread damage from the hack. Nevertheless, the incident has rattled the cybersecurity community, both for its execution and its implications.
A GitHub user named Jia Tan, whose identity remains uncertain, spent approximately two years establishing credibility within the developer community before exploiting that trust to gain control of Xz. This manipulation of trust even garnered support from at least five other GitHub users who endorsed Jia Tan's reliability, according to Marc Rogers, a cybersecurity researcher investigating the incident.
This kind of human-enabled digital espionage is unprecedented in the realm of open source, noted Anjana Rajan, an official at the White House Office of the National Cyber Director. The involvement of nation-states is suspected, although agencies like the FBI and NSA have not confirmed any investigations. Former government cyber experts are convinced that inquiries are underway.
The incident has prompted a reassessment of open-source code security. Despite being vital to the digital economy, open-source software is often maintained by a single volunteer, making it susceptible to exploitation. There are indications that Xz may have been targeted because its previous developer expressed frustration with their workload.
There is a growing consensus that measures must be taken to safeguard open-source code. Many projects rely on individuals who maintain them without recognition or reward, leaving them vulnerable to attacks like this one, observed Rogers.