{ "id": "bf95c986-a248-4b6f-ac77-adab90b4b4cc", "created_at": "2026-04-06T00:07:10.222733Z", "updated_at": "2026-04-10T03:30:33.659168Z", "deleted_at": null, "sha1_hash": "5b5c131636a23debc4ae759a511b20cea22d526a", "title": "Everything I Know About the XZ Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 167668, "plain_text": "Everything I Know About the XZ Backdoor\r\nBy Evan Boehs\r\nPublished: 2024-03-29 · Archived: 2026-04-05 15:04:36 UTC\r\nstate\r\nevergreen\r\nin\r\nblog\r\ntags\r\nopen-source\r\ndate\r\n3/29/2024\r\nlicense\r\nCC BY-SA 4.0\r\nThis publication was last updated at 12:49 PM EST on April 8th\r\nRecently, a backdoor was discovered in XZ, a popular library for lossless data compression. Initial research efforts\r\nwere predominantly concentrated on unpacking the well-disguised attack vector, while the social aspects of the\r\nattack received only murmurings. To investigate this attack, I never read a line of code. Instead, I spent dozens of\r\nhours pouring over hundreds of discussion threads and mailing lists. I’ve concluded that while the events that\r\nunfolded are undoubtedly a tragedy, it was one of our own making — one of an ugly reality that quietly plays out\r\nevery day. Our attacker was not naïve. They meticulously examined the culture of open source and then pounced\r\non its norms, twisting them strategically to their benefit. If we continue to focus purely on technicalities, nothing\r\nwill ever change. This story will play out time and time again, like it already has for decades. We must stop\r\nfocusing on fuzzing and static analysis and instead turn our attention to the human costs of open source. We must\r\nlearn. With this in mind, I present a timeline of the attack — one from a new perspective that’s too often ignored.\r\n2021\r\nJiaT75 (Jia Tan) creates their GitHub account.\r\nThe first commits they make are not to xz, but they are deeply suspicious. Specifically, they open a PR in\r\nlibarchive: Added error text to warning when untaring with bsdtar. This commit does a little more than it says. It\r\nreplaces safe_fprint with an unsafe variant, potentially introducing another vulnerability. The code was merged\r\nwithout any discussion, and lives on to this day (patched).\r\n2022\r\nIn April 2022, Jia Tan submitted a patch via a mailing list. The contents of the patch are not relevant, but the\r\nevents that follow are. A new persona — Jigar Kumar — enters, and begins pressuring for this patch to be\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 1 of 6\n\nmerged.\r\nSoon after, Jigar Kumar begins pressuring Lasse Collin to add another maintainer to XZ. In the fallout, there is\r\nmuch to learn about mental health in open source.\r\nThree days after the emails pressuring Lasse Collin to add another maintainer, JiaT75 makes their first commit to\r\nxz: Tests: Created tests for hardware functions.. Since this commit, they become a regular contributor to xz (they\r\nare currently the second most active). It’s unclear exactly when they became trusted in this repository.\r\nJigar Kumar is never seen again. Another account — Dennis Ens also participates in pressure, with a similar\r\nname+number formatted email. This account is also never seen outside of xz discussion, and neither have any\r\nassociated accounts that have been discovered.\r\nGlyph @glyph@mastodon.social\r\n@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire\r\ngoddamn product rest on the shoulders of one overworked person having a slow mental health crisis without\r\nfinancially or operationally supporting them whatsoever. I want everyone who has an open source dependency to\r\nread this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html\r\nMar 29, 2024, 20:43\r\n \r\n536 retoots\r\n2023\r\nJiaT75 merges their first commit on Jan 7, 20231, which gives us a good indication of when they fully gain trust.\r\nIn March, the primary contact email in Google’s oss-fuzz is updated to be Jia’s, instead of Lasse Collin.\r\nTesting infrastructure that will be used in this exploit is committed. Despite Lasse Collin being attributed as the\r\nauthor for this, Jia Tan committed it, and it was originally written by Hans Jansen in June:\r\nCommit: liblzma: Add ifunc implementation to crc64_fast.c\r\nPR: Replaced crc64_fast constructor with ifunc by hansjans162\r\nHans Jansen’s account was seemingly made specifically to create this pull request. There is very little activity\r\nbefore and after. They will later push for the compromised version of XZ to be included in Debian.\r\nIn July, a PR was opened in oss-fuzz to disable ifunc for fuzzing builds, due to issues introduced by the changes\r\nabove. This appears to be deliberate to mask the malicious changes that will be introduced soon. Also, JiaT75\r\nopened an issue about a warning in clang that, while indeed incorrect, drew attention to ifuncs.\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 2 of 6\n\n2024\r\nA pull request for Google’s oss-fuzz is opened that changes the URL for the project from tukaani.org/xz/ to\r\nxz.tukaani.org/xz-utils/. tukaani.org is hosted at 5.44.245.25 in Finland, at this hosting company. The xz\r\nsubdomain, meanwhile, points to GitHub pages. This furthers the amount of control Jia has over the project.\r\nA commit containing the final steps required to execute this backdoor is added to the repository:\r\nTests: Add a few test files\r\nTests: Update two test files\r\nThe discovery\r\nAn email is sent to the oss-security mailing list: backdoor in upstream xz/liblzma leading to ssh server\r\ncompromise, announcing this discovery, and doing it’s best to explain the exploit chain.\r\nI was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd\r\nprocesses were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc.\r\nProfiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious.\r\nRecalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after\r\npackage updates.\r\nReally required a lot of coincidences.\r\nMar 29, 2024, 18:32\r\n \r\n769 retoots\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 3 of 6\n\nA gist has been published with a great high-level technical overview and a “what you need to know”\r\nIn addition to the gist and the email above, several analysis attempts have begun emerging:\r\nxz/liblzma: Bash-stage Obfuscation Explained\r\n“It’s RCE, not auth bypass”\r\n[WIP] XZ Backdoor Analysis and symbol mapping\r\nInfographic\r\nxzbot: notes, honeypot, and exploit demo for the xz backdoor\r\nresearch!rsc: The xz attack shell script\r\nA sudden push for inclusion\r\nA request for the vulnerable version to be included in Debian is opened by Hans:\r\n#1067708 - xz-utils: New upstream version available\r\nThis request was opened the same week Hans’ Debian GitLab account was created. The account created a few\r\nsimilar “update” requests in various low-traffic repositories to build credibility, after asking for this one.\r\nSeveral other, suspicious, anonymous name+number accounts with little former activity also push for its\r\ninclusion, including misoeater91 and krygorin4545. krygorin4545’s PGP key was made 2 days before joining the\r\ndiscussion.\r\nAlso seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version\r\nwill resolve it. Would like this new version so I can continue work.\r\nI noticed this last week and almost made a Valgrind bug. Glad to see it being fixed.\r\nThanks Hans!\r\nThe Valgrind bugs mentioned were introduced by this malicious injection, as noted in the email to OSS-Security:\r\nSubsequently the injected code (more about that below) caused valgrind errors and crashes in some\r\nconfigurations, due to the stack layout differing from what the backdoor was expecting. These issues\r\nwere attempted to be worked around in 5.6.1:\r\nA pull request to a go library by a 1Password employee is opened asking to upgrade the library to the vulnerable\r\nversion, however, it was all unfortunate timing. 1Password reached out by email referring me to this comment,\r\nand everything seems to check out.\r\nA Fedora contributor states that Jia was pushing for its inclusion in Fedora as it contains “great new features”\r\nJia Tan also attempted to get it into Ubuntu days before the beta freeze.\r\nA few hours after all this came out, GitHub suspended JiaT75’s account. Thanks? They also banned the repository,\r\nmeaning people can no longer audit the changes made to it without resorting to mirrors. Immensely helpful,\r\nGitHub. They also suspended Lasse Collin’s account, which is completely disgraceful.\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 4 of 6\n\nLasse has begun reverting changes introduced by Jia, including one that added a sneaky period to disable the\r\nsandbox. They also have published a FAQ that begins to explain the situation: XZ Utils backdoor\r\nOSINT\r\nVarious people have reached out to me regarding discoveries about the identity of Jia. Some of this has been\r\nincorporated in the timeline, but other stuff is “timeless” so I’m putting it here:\r\nIRC\r\nI received an email that clarified a few points and provided new insight into the situation.\r\n“Jia Tan” was present on the #tukaani IRC channel on Libera.Chat. A /whois revealed their connecting IP and\r\nactivity on March 29th.\r\n[libera] -!- jiatan [~jiatan@185.128.24.163]\r\n[libera] -!- was : Jia Tan\r\n[libera] -!- hostname : 185.128.24.163\r\n[libera] -!- account : jiatan\r\n[libera] -!- server : tungsten.libera.chat [Fri Mar 29 14:47:40 2024]\r\n[libera] -!- End of WHOWAS\r\nRunning a Nmap on the IP shows a lot of open ports, which probably indicates a proxy, hosting provider, or\r\nsomething of the sort. The IP is from Singapore.\r\nFurther research shows that this IP belongs to Witopia VPN, so it’s not entirely indicative of a region. Given the\r\ntimezone, however, I feel like proximity becomes plausible.\r\nImportant notes on LinkedIn\r\nI have received a few emails alerting me to a LinkedIn of somebody named Jia Tan2. Their bio boasts of large-scale vulnerability management. They claim to live in California. Is this our man? The commits on JiaT75’s\r\nGitHub are set to +0800, which would not indicate presence in California. UTC-0800 would be California. Most\r\nof the commits were made between UTC 12-17, which is awfully early for California. In my opinion, there is no\r\nsufficient evidence that the LinkedIn being discussed is our man. I think identity theft is more likely, but I am of\r\ncourse open to more evidence.\r\nApr 7 Update: Subsequently, I’ve received a lot of people sending me other LinkedIn accounts, theorizing about\r\nwhat his name could mean, etc., but I don’t think a bad actor would use their real name.\r\nDiscoveries in the Git logs\r\nI received an email from Minhu Wang who investigated the Git log, and found one instance where Jia’s username\r\nwas different:\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 5 of 6\n\n$ git shortlog --summary --numbered --email | grep jiat0218@gmail.com\r\n273 Jia Tan \u003cjiat0218@gmail.com\u003e\r\n2 jiat75 \u003cjiat0218@gmail.com\u003e\r\n1 Jia Cheong Tan \u003cjiat0218@gmail.com\u003e\r\nThey found this particularly interesting as Cheong is new information\r\nFurthermore, an independent analysis of commit timings concludes that the perpetrator worked “Office Hours” in\r\na UTC+02/03 timezone. It’s particularly notable that they worked through the Lunar New Year, and did not work\r\non some notable Eastern European holidays, including Christmas and New Year. I have, however, been presented\r\nwith a differing view, which you can read here.\r\nRy Jones used gharchive to extract Jia’s entire git activity, and he uploaded it to a repository, viewable here:\r\njiat75-logs. Jia’s GitHub username previously featured Cheong, but this has since been removed.\r\n👟 Footnotes\r\n1. Thanks @joeyh@hachyderm.io ↩︎\r\n2. I was also alerted to discussions of this on Gab, which should tell you what you need to know. ↩︎\r\n🌱 What links here?\r\nBountysource Stole at Least $21,000 From Open Source Developers\r\nHow did the blog do in 2024?\r\nSource: https://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://boehs.org/node/everything-i-know-about-the-xz-backdoor" ], "report_names": [ "everything-i-know-about-the-xz-backdoor" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b5c131636a23debc4ae759a511b20cea22d526a.pdf", "text": "https://archive.orkl.eu/5b5c131636a23debc4ae759a511b20cea22d526a.txt", "img": "https://archive.orkl.eu/5b5c131636a23debc4ae759a511b20cea22d526a.jpg" } }