The recent ZX hack is quite an impressive long con hack on a carefully picked open source project, slowly gaining trust and then getting hidden malicious code signed. Glad this was found early and did not land into debian LTS, would have been quite bad. Check out the tldr video or jfrog post mortem:
https://youtu.be/bS9em7Bg0iU?si=6QI-fZQ3pm0baIzB
https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
Peter
npub1fl…n7wu7
2024-04-06 12:34:59
Author Public Key
npub1fldgkyxjm92mr7zlrejmhd3ymlzx2awhpxpwserzl5v2w7a7a93q0n7wu7Published at
2024-04-06 12:34:59Event JSON
{
"id": "db0242f92f730907a3e02a01a8d60eb2204974e8258a7621c811ea6fe143b247",
"pubkey": "4fda8b10d2d955b1f85f1e65bbb624dfc46575d70982e86462fd18a77bbee962",
"created_at": 1712399699,
"kind": 1,
"tags": [
[
"r",
"https://youtu.be/bS9em7Bg0iU?si=6QI-fZQ3pm0baIzB"
],
[
"r",
"https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/"
]
],
"content": "The recent ZX hack is quite an impressive long con hack on a carefully picked open source project, slowly gaining trust and then getting hidden malicious code signed. Glad this was found early and did not land into debian LTS, would have been quite bad. Check out the tldr video or jfrog post mortem:\n\nhttps://youtu.be/bS9em7Bg0iU?si=6QI-fZQ3pm0baIzB\n\nhttps://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/",
"sig": "1c2dcd9b374355080e69eb5c54cffca8520977c231d2fb0dd397d350262a8f6b9a30ed918dcdf052dcab6cde50115bc7984e8fc72c6a30d41caee1acae7be8a1"
}