The malicious .o is extracted from data in binary test files, but the backdoor i... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		edflsafoiewq on April 3, 2024 \| parent \| context \| favorite \| on: The xz attack shell script The malicious .o is extracted from data in binary test files, but the backdoor is inserted entirely in the build phase. Running any test phase is not necessary.

rafaelmn on April 3, 2024 [–]

So if you ran build without test files it would fail. I get that this is hindsight thinking - but maybe removing all non essential files when packaging/building libraries reduces the surface area.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact