In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan". From Wikipedia
Debian classifies the compromised images as archival relics with minimal exploitation risk, prompting calls for persistent scanning to prevent supply-chain contamination.
