SUP-COMPROMISE-005 Compromised build pipeline

A direct or transitive dependency matches a curated supply-chain incident in the compromised_build kind. The upstream project's build pipeline (the release tarball, the distro packaging step, the CI artefact) was compromised by a long-running attacker, even though the source tree on the public repository looked clean. The released binary or tarball is poisoned; auditing the source repository alone misses it.

This is the most patient class of supply-chain attack: the attacker may have spent months or years building social capital in the upstream community before activating the payload.

Catalogued incidents under this kind:

• INCIDENT-2024-xz (system: [email protected], 5.6.1), the multi- year supply-chain operation (Jia Tan) that added an sshd backdoor to xz release tarballs via the build pipeline.
• INCIDENT-2024-xz-utils (system: [email protected], 5.6.1), the Debian / Ubuntu / Fedora packaging step that distributed the same compromised xz tarballs under the distro's package name. Same CVE-2024-3094 backdoor.

What Vulkro detects

The detector walks every (ecosystem, name, version) triple and looks each one up against the curated catalog. A row whose kind is compromised_build and whose versions[] contains the installed version produces a SUP-COMPROMISE-005 finding.

Severity: the catalog row's severity (typically Critical). Confidence: High. Evidence signal: compromised-release-exact-version-match, weight 1.0.

Note: the xz catalog rows are in the system ecosystem (distro packages), not in npm / PyPI / Cargo. Vulkro matches on (ecosystem, name, version) together, so an npm dependency with the same name will not collide with the system row.

Non-compliant manifest (distro package)

$ dpkg -l xz-utils
ii  xz-utils       5.6.0-1

$ rpm -q xz
xz-5.6.1-1.fc40

Either install hits INCIDENT-2024-xz or INCIDENT-2024-xz-utils.

Compliant manifest

Roll back to a release built before the build-pipeline compromise. The advisory in the finding cites the precise affected versions and the distro's incident-response notice.

$ apt install xz-utils=5.4.6-0+deb12u1

Remediation

1. Downgrade to a release built before the build-pipeline compromise. Distribution-shipped packages (Debian, Ubuntu, Fedora) must also be rolled back per the distro's security advisory.
2. Verify the integrity of any binaries built from the compromised sources against vendor-published hashes. For the xz family that includes hashes for liblzma.so and anything that linked against it.
3. For systems that ran the affected version, treat the host as compromised for the period the bad version was active. The xz backdoor specifically targeted sshd, so an affected server's authentication trust boundary is in question; rotate ssh host keys, audit access logs, and rebuild from a known-clean image where feasible.
4. Run vulkro respond against every project on the machine to find every other place the same package version is in use.

See also

• vulkro scan - parent CLI.
• vulkro respond - find every other place the same package is in use.
• SUP-COMPROMISE-001 - sibling rule for hijacked-credential publish incidents.
• SUP-COMPROMISE-004 - sibling rule for author-introduced backdoors at the source level.
• SUP-COMPROMISE-006 - sibling rule for compromised editor / browser extensions via the same catalog.

References

• CWE-506: Embedded Malicious Code
• CWE-1357: Reliance on Insufficiently Trustworthy Component
• CWE-1395: Dependency on Vulnerable Third-Party Component
• NVD: CVE-2024-3094
• OWASP A08:2021 Software and Data Integrity Failures