Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ

Mario Lins; René Mayrhofer; Michael Roland

doi:10.1007/978-981-95-4434-9_24

Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ

Institute of Networks and Security

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

Abstract

Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.

Original language	English
Title of host publication	Cryptology and Network Security
Subtitle of host publication	24th International Conference, CANS 2025, Proceedings
Editors	Yongdae Kim, Atsuko Miyaji, Mehdi Tibouchi
Place of Publication	Osaka, Japan
Publisher	Springer Singapore
Pages	521-541
Number of pages	21
Edition	1
ISBN (Electronic)	978-981-95-4434-9
ISBN (Print)	978-981-95-4433-2
DOIs	https://doi.org/10.1007/978-981-95-4434-9_24
Publication status	E-pub ahead of print - 13 Nov 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16351 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Fields of science

102 Computer Sciences
102016 IT security

JKU Focus areas

Digital Transformation

Access to Document

10.1007/978-981-95-4434-9_24

Christian Doppler Laboratory for Private Digital Authentication in the Physical World - Digidow
Mayrhofer, R. (PI)
01.01.2020 → 31.12.2026
Project: Funded research › CDG - Christian Doppler Forschungsgesellschaft

Cite this

Lins, M., Mayrhofer, R., & Roland, M. (2025). Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ. In Y. Kim, A. Miyaji, & M. Tibouchi (Eds.), Cryptology and Network Security: 24th International Conference, CANS 2025, Proceedings (1 ed., pp. 521-541). (Lecture Notes in Computer Science; Vol. 16351 LNCS). Springer Singapore. Advance online publication. https://doi.org/10.1007/978-981-95-4434-9_24

Lins, Mario ; Mayrhofer, René ; Roland, Michael. / Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ. Cryptology and Network Security: 24th International Conference, CANS 2025, Proceedings. editor / Yongdae Kim ; Atsuko Miyaji ; Mehdi Tibouchi. 1. ed. Osaka, Japan : Springer Singapore, 2025. pp. 521-541 (Lecture Notes in Computer Science).

@inproceedings{e1874bf70f02477f9d8d168e70aebe70,

title = "Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ",

abstract = "Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal {\textquoteleft}sketchy{\textquoteright} signs of potential backdoor implantation attempts.",

author = "Mario Lins and Ren{\'e} Mayrhofer and Michael Roland",

year = "2025",

month = nov,

day = "13",

doi = "10.1007/978-981-95-4434-9\_24",

language = "English",

isbn = "978-981-95-4433-2",

series = "Lecture Notes in Computer Science",

publisher = "Springer Singapore",

pages = "521--541",

editor = "Yongdae Kim and Atsuko Miyaji and Mehdi Tibouchi",

booktitle = "Cryptology and Network Security",

edition = "1",

}

Lins, M , Mayrhofer, R & Roland, M 2025, Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ. in Y Kim, A Miyaji & M Tibouchi (eds), Cryptology and Network Security: 24th International Conference, CANS 2025, Proceedings. 1 edn, Lecture Notes in Computer Science, vol. 16351 LNCS, Springer Singapore, Osaka, Japan, pp. 521-541. https://doi.org/10.1007/978-981-95-4434-9_24

Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ. / Lins, Mario ; Mayrhofer, René ; Roland, Michael.
Cryptology and Network Security: 24th International Conference, CANS 2025, Proceedings. ed. / Yongdae Kim; Atsuko Miyaji; Mehdi Tibouchi. 1. ed. Osaka, Japan: Springer Singapore, 2025. p. 521-541 (Lecture Notes in Computer Science; Vol. 16351 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

TY - GEN

T1 - Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ

AU - Lins, Mario

AU - Mayrhofer, René

AU - Roland, Michael

PY - 2025/11/13

Y1 - 2025/11/13

N2 - Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.

AB - Recently, a previously unseen supply chain attack due to a backdoor in XZ Utils has been identified by A. Freund. This particular attack leverages highly sophisticated attack techniques, starting with social engineering attacks against the open source community up to implanting a backdoor in obfuscated binary blobs. This malware is designed to empower the attacker(s) to remotely run commands on vulnerable servers utilizing SSH evading authentication. A reverse dependency analysis revealed that the affected library is used by almost 30,000 packages in Debian and Ubuntu—the same order of magnitude as the GNU standard C library (glibc/libc6), a dependency for roughly 50,000 packages on these systems. This fact highlights the severity of such supply chain attacks and raises concerns about further backdoored packages still undetected in the wild. This paper identifies the critical attack path for successful implantation of such a backdoor and abstracts general key takeaways for future detection and mitigation of similar attacks. We also present SketchyCrawler, an open-source tool prototype designed to illustrate crawling repositories to reveal ‘sketchy’ signs of potential backdoor implantation attempts.

U2 - 10.1007/978-981-95-4434-9_24

DO - 10.1007/978-981-95-4434-9_24

M3 - Conference proceedings

SN - 978-981-95-4433-2

T3 - Lecture Notes in Computer Science

SP - 521

EP - 541

BT - Cryptology and Network Security

A2 - Kim, Yongdae

A2 - Miyaji, Atsuko

A2 - Tibouchi, Mehdi

PB - Springer Singapore

CY - Osaka, Japan

ER -

Lins M , Mayrhofer R , Roland M. Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ. In Kim Y, Miyaji A, Tibouchi M, editors, Cryptology and Network Security: 24th International Conference, CANS 2025, Proceedings. 1 ed. Osaka, Japan: Springer Singapore. 2025. p. 521-541. (Lecture Notes in Computer Science). Epub 2025 Nov 13. doi: 10.1007/978-981-95-4434-9_24

Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ

Abstract

Publication series

Fields of science

JKU Focus areas

Access to Document

Projects

Christian Doppler Laboratory for Private Digital Authentication in the Physical World - Digidow

Cite this