Red Hat has recently reported a malicious code embedded in XZ Utils versions 5.6.0 and 5.6.1, which are XZ format compression utilities that are often involved in Linux distributions. The vulnerability has been labelled as CVE-2024-3094.  “This attack has echoes of SolarWinds with code silently injected into the supply chain using xz that given certain configurations would allow remote unauthenticated access,” says Saumitra Das, Vice President of Engineering at Qualys.

Source: Security Magazine