Malicious Code in xz Utils: Back to the Development Build Pipeline

Each code contributor (internal or external) should be treated as a potential insider threat.

Recently, a malicious backdoor was discovered in a widely used open-source utility called xz Utils. This compression tool is nearly ubiquitous in the Linux ecosystem, providing lossless data compression on various Unix-like operating systems. The backdoor was introduced in versions 5.6.0 and 5.6.1 of xz Utils. Although there are no known reports of these versions being incorporated into production releases for major Linux distributions, some beta releases (such as Fedora Rawhide and Debian testing) did use the compromised versions.  A stable release of Arch Linux was also affected, although it’s not commonly used in production systems.

Sophisticated attackers like we have seen before can compromise a build pipeline by infiltrating the software development process. Once inside an organization, attackers can manipulate the build process, potentially affecting downstream consumers who use the affected software.

Open Source vs. Closed Source Software: What’s Safer?

Both open source and closed source (commercial) software are vulnerable to attacks. Each have their merits and drawbacks. While there is no definitive answer to whether one is inherently more secure than the other, let’s explore some reasons why:

1


Transparency and Trust:

  • Open Source: Open-source software offers true transparency. Users can inspect the source code and evaluate its security. Community collaboration ensures continuous improvement.
  • Closed Source: Closed source software relies on trust in the vendor’s claims. Without visibility into the code, users must rely on assurances without direct verification.

2


Vulnerability Exposure:

  • Open Source: While open-source code is accessible to everyone, it also means that vulnerabilities can be more visible. However, prompt fixes are not always possible due to community involvement. Further there may not be any structured standards or compliance to identify vulnerabilities.
  • Closed Source: Vulnerabilities may exist but remain hidden until discovered. In smaller and non-regulated development teams, this may not be a priority.

3


Dependency Risks:

  • Open Source: Relies on external libraries and dependencies. Vulnerabilities in these components can affect the overall security.
  • Closed Source: Dependencies are managed internally, but users may still face risks if third-party components are vulnerable.

4

Customization and Control:

  • Open Source: Customization is possible, allowing organizations to tailor software. However, this flexibility can introduce security risks if not handled carefully.
  • Closed Source: Limited customization options, but the vendor maintains control over security features.

The Defense Strategy

Vigilance and monitoring in the fast-paced DevOps landscape is critical. Organizations must fortify their defenses by employing governance to monitor the integrity of their software build process regardless of type. Critical areas of focus include:

  • Implement secure security by design principles.1
  • Source code repository monitoring to validate contributors are authenticated and expected.
  • Dependency management scrutiny by generating and analyzing a valid software bill of materials (SBOM) for changes in open-source library usage.
  • Build process vigilance including watching for unauthorized modifications to the build server(s), certificates, or signing keys.
  • Artifact repository integrity checks such as comparing file hashes, performing behavioral analysis, monitoring for unusual account access or network traffic.

Source: Cybersecurity and Infrastructure Security Agency, Secure by Design | CISA

Are You Prepared?

Fortunately, this backdoor was discovered before it made its way into production versions of Linux, but this incident highlights the importance of what-if. Consider using this as an opportunity to ask yourself and cross-functional teams what if this had not been detected earlier? How would you have determined scope and impact? What containment and remediation steps you would have taken? 

Insights on cyber security

KPMG professionals are passionate and objective about cyber security. We’re always thinking, sharing and debating. Because when it comes to cyber security, we’re in it together. 

Read more

Meet our team

Image of David Nides
David Nides
Principal, Advisory, KPMG US
Read bio
Image of David Nides
David Nides
Principal, Advisory, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline