On Mon, 2024-04-01 at 01:32 +0300, Alexandru N. Barloiu wrote: > https://piaille.fr/@zeno/112185928685603910 > > There's an ENV var you can set that is a kill switch for the whole thing :) >
For the part that we found :) The author of the backdoor had commit access to the upstream repository for a long time: https://git.tukaani.org/?p=xz.git;a=search;s=Jia+Tan;st=author Personally I would be skeptical of running any version of any package that he has touched.
