If you don't already know by now. A backdoor was introduced into one of the main upstream repositories that every x86_64 Linux distribution relies on. It was only discovered by chance by some one working for Microsoft that noticed ssh logins were taking longer by a few milliseconds. They traced it down to the xz compression tool where the malicious code was very cleverly hidden in a test binary.
What is more surprising is how this backdoor got into the repository. It looks like author of this code actually managed to take over the upstream xz repository by social engineering, possibly by themselves or in collusion with others to get the original maintainer to give them access to do their own commits.
What is more surprising is how this backdoor got into the repository. It looks like author of this code actually managed to take over the upstream xz repository by social engineering, possibly by themselves or in collusion with others to get the original maintainer to give them access to do their own commits.