Jia Tan

Persona behind a multi-year software supply-chain operation targeting xz-utils, a widely-deployed open-source data-compression library. The 'Jia Tan' account contributed to xz-utils from October 2021, steadily building credibility and commit access before inserting a sophisticated backdoor in versions 5.6.0 and 5.6.1 (CVE-2024-3094, CVSS 10.0). The backdoor, discovered on 29 March 2024 by Andres Freund, modified liblzma to intercept SSH RSA key authentication on affected systemd-linked Linux systems, enabling unauthorized remote access to any host running the compromised package. Multiple researchers assessed the operation as state-sponsored based on its sophistication and multi-year patience, but no public attribution to a specific government has been made.