https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Ok so a recent version of an open source core utility (#xz utils) was backdoored with injected #malware as a long-term project, and managed to sneak into the "development branch" of Fedora at least.
Exec summary: Panic is not necessary on this part, unless you are quite special. Also, this will not be the only core open source project with a tired maintainer that might have been targeted similarly and in a way that would not have been caught in testing. Ensuring core dependencies of widely used open source software have a viable supporting organization behind them that addresses the social issue of maintainer 'generation changes' is important. How can we resource this better?
Some in Finnish: #CERT FI:ltä aiheesta suomeksi: https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_10/2024
Immense kudos also to @AndresFreundTec who noticed something was hinky during completely unrelated testing of completely different software, looked deeper and reported his findings, which allowed this backdoor to apparently remain limited to a lot of distributions' "development branches".
https://mastodon.social/@AndresFreundTec/112180406142695845