Summary: The latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries. Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.
This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience
Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.