XZ, a suite of file compression tools packaged into distributions of the Linux operating system, was long maintained by a single author, Lasse Collin. In recent years, he appeared to be under strain.
In a message posted to a public mailing list in June 2022, Collin said he was dealing with “long-term mental health issues”, and hinted that he is working with a new developer named Jia Tan and that “perhaps he will have a bigger role in the future”.
Update logs available through the open-source software site Github show that Tan’s role quickly expanded. By 2023, Tan was merging his code into XZ, a sign that he had won a trusted role in the project.
But cybersecurity experts who’ve scoured the logs say that Tan was masquerading as a helpful volunteer and that he introduced a nearly invisible backdoor into XZ over the next few months.
Collin didn’t return messages seeking comment and said on his website that he would not respond to reporters until he understood the situation well enough, while Tan did not return messages sent to his Gmail account.
Reuters has been unable to ascertain who Tan is, where he is or who he was working for but many of those who’ve examined his updates believe Tan is a pseudonym for an expert hacker or group of hackers — likely one working on behalf of a powerful intelligence service.
“This is not kindergarten stuff,” said Omkhar Arasaratnam, the general manager of the Open Source Security Foundation (OSSF), a cross-industry forum for collaborative improvement of open-source software which defends projects like XZ. “This is incredibly sophisticated.”
‘WE LUCKED OUT’
Tan could easily have got away with it had it not been for the Microsoft developer whose curiosity was piqued when he noticed the latest version of XZ intermittently using an unexpected amount of processing power on the system he was testing.
Microsoft declined to make Freund available for an interview, but in publicly-available emails and posts to social media, Freund said a series of easy-to-miss clues prompted him to discover the backdoor.
The find “really required a lot of coincidences,” Freund said on the social network Mastodon.
