“Trust no one! The minute God crapped out the third caveman, a conspiracy was hatched against one of them! ” - Gen. Hunter Gathers, OSI (The Venture Bros.)
There are parties who have effectively endless resources and motivation to mock up a false-flag event to steer the responsibility for this a certain way. They're all very, very good at covering their tracks, and even the most experienced security researchers will take months or years to just get an educated guess of who could be responsible. Trying to figure out who did this is a waste of time.
The lesson is this:
1. Never, ever install bleeding-edge software in production, for any reason.
2. Pentesters in your organization should be regularly trying to blow holes in your stack and let both you and package maintainers know the result. If they're not, they're not doing their jobs.
3. FOSS maintainers should audit the new code in each release for security issues, particularly for things that are obviously security-sensitive.
4. Donate to your FOSS maintainers; they do insanely important work.
These rules will pay off no matter who or what wants to break into systems.
This fortunately didn't get to stable. This was as close of a shave as you can possibly get without a security Chernobyl in your systems.
EDIT:
Downvote all you want; I'm right.
There are people who very much want to convince you and everyone you know that a certain party is responsible for this and every other attack you read about. They'll go out of their way to do that. There are geopolitical goals to be achieved by doing so.
We're currently talking about banning foreign ownership of an incredibly popular web app in the US right now. If you are a government or commercial entity that would benefit from such a law, how convenient would it be if there happened to be a GitHub user with a Chinese-sounding name who committed an attack vector to the project with a timestamp that looked like it could have come out of the PRC?
And let's say it is someone in mainland China. We find out they are beyond a shadow of a doubt and who they are on a personal level. Some big-time DA's office like the Southern District of New York puts out an indictment for them and requests extradition. The people who are behind this are almost certainly state-sponsored and there's no way their asses are being handed over to US Marshals, ever. You could even argue that if they managed to stumble into a situation where they could be extradited, the government responsible for backing them would "tie up the loose end" before letting that happen, lest greater knowledge of what the organization has been doing fall into enemy hands.
Besides the Bond-style intrigue, there's no practical application to the knowledge. You already know where your users are coming from, most of the time, and might be geo-blocking based on that alone. If not, you know you should be alert to other threats from that region. If you're not, you aren't doing your job.
> Never, ever install bleeding-edge software in production, for any reason.
But for any X which is mainstream today someone was always the first of X. And even then being the second or third is still cutting edge. For a certain kind of company it makes sense to play this way, but if it were everyone then we'd have a tragedy.
That's why you run X in your sandbox/QA/testing/whatever-you-call-it environment, safe from the prying eyes of the public internet and the private data of users. Once it's all good there, and the community has come to a consensus about it being safe and ready-for-release, that's when you can put it wherever you want.
99.9% of releases for packages like this are boring bugfixes and stuff, not earth-shattering new features. You're not at a competitive disadvantage for not having taken this version of xz and having routed all of your traffic through it.
There are parties who have effectively endless resources and motivation to mock up a false-flag event to steer the responsibility for this a certain way. They're all very, very good at covering their tracks, and even the most experienced security researchers will take months or years to just get an educated guess of who could be responsible. Trying to figure out who did this is a waste of time.
The lesson is this:
1. Never, ever install bleeding-edge software in production, for any reason.
2. Pentesters in your organization should be regularly trying to blow holes in your stack and let both you and package maintainers know the result. If they're not, they're not doing their jobs.
3. FOSS maintainers should audit the new code in each release for security issues, particularly for things that are obviously security-sensitive.
4. Donate to your FOSS maintainers; they do insanely important work.
These rules will pay off no matter who or what wants to break into systems.
This fortunately didn't get to stable. This was as close of a shave as you can possibly get without a security Chernobyl in your systems.
EDIT:
Downvote all you want; I'm right.
There are people who very much want to convince you and everyone you know that a certain party is responsible for this and every other attack you read about. They'll go out of their way to do that. There are geopolitical goals to be achieved by doing so.
We're currently talking about banning foreign ownership of an incredibly popular web app in the US right now. If you are a government or commercial entity that would benefit from such a law, how convenient would it be if there happened to be a GitHub user with a Chinese-sounding name who committed an attack vector to the project with a timestamp that looked like it could have come out of the PRC?
And let's say it is someone in mainland China. We find out they are beyond a shadow of a doubt and who they are on a personal level. Some big-time DA's office like the Southern District of New York puts out an indictment for them and requests extradition. The people who are behind this are almost certainly state-sponsored and there's no way their asses are being handed over to US Marshals, ever. You could even argue that if they managed to stumble into a situation where they could be extradited, the government responsible for backing them would "tie up the loose end" before letting that happen, lest greater knowledge of what the organization has been doing fall into enemy hands.
Besides the Bond-style intrigue, there's no practical application to the knowledge. You already know where your users are coming from, most of the time, and might be geo-blocking based on that alone. If not, you know you should be alert to other threats from that region. If you're not, you aren't doing your job.