This page will get updated as I learn more about the incident.

2024-04-09: The Git repositories of XZ projects are available on GitHub again.

The email address xz at tukaani dot org forwards to me only. This change was made on 2024-03-30. DNS name (CNAME) has been removed and won’t be restored.

The XZ projects have moved to their old URLs on XZ Utils’s home page is under construction still though.

To media and reporters

I won’t reply for now because first I need to understand the situation thoroughly enough. It’s enough to reload this page once per 48 hours to check if this message has changed.


I have gotten a lot of email. Thanks for the positive comments. Unfortunately I don’t have time to reply to most of them.


  • CVE-2024-3094

  • XZ Utils 5.6.0 and 5.6.1 release tarballs contain a backdoor. These tarballs were created and signed by Jia Tan.

  • Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me.

  • GitHub accounts of both me (Larhzu) and Jia Tan were suspended. Mine was reinstated on 2024-04-02.

  • Only I have had access to the main website, repositories, and related files. Jia Tan only had access to things hosted on GitHub, including subdomain (and only that subdomain).


I plan to write an article how the backdoor got into the releases and what can be learned from this. I’m still studying the details.

xz.git needs to be gotten to a state where I’m happy to say I fully approve its contents.

It is debated whether to rebase the master branch to purge the malicious files so that they wont’t trip antivirus software or such. Currently the opinion is somewhat tilted towards not rebasing.

Review of the repository is being made. This has higher priority right now than the pending article.

These will unfortunately but obviously take several days.

A clean stable XZ Utils release version is likely to jump to 5.8.0. It should clearly separate the clean one from the bad 5.6.x.