I'm not watching all that. Probably a bunch of "experts" no one has ever heard of with the most vague explanation of what supposedly happened. Probably another Dan Kaminsky who blackmailed M$ and others over the "DNS vuln" he found and sat on for like 2 years.
Nothing of that sort.
THE SCOURGE OF software supply chain attacks—an increasingly common hacking technique that hides malicious code in a widely used legitimate program—can take many forms. Hackers can penetrate an update server to seed out their malware, or even break into the network where the software was developed to corrupt it at the source. Or, in the case of one particularly insidious software supply chain attacker known as Jia Tan, they can spend two years politely and enthusiastically volunteering to help.
Over the weekend, the cybersecurity and open source software community was shocked by the news that a relatively new, experimental version of XZ Utils—a compression utility integrated into many popular distributions of Linux—contained a backdoor that would have allowed hackers in possession of a specific private key to connect to the backdoored system and run their own commands as an administrator. Only some chance detective work carried out by a lone Microsoft engineer, Andres Freund—who’d detected a strange delay in how the remote connection protocol SSH was running in a version of the Linux variant Debian—caught the spy trick before it ended up in many millions of systems worldwide.
At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead, perhaps when Jia Tan forgot to make the change.