The pattern of this attack superficially resembles that of APT29, aka Cozy Bear, who has links to Russian foreign intelligence.
CREDIT: Wikimedia/Public domain, United States Computer Emergency Readiness Team
In late March 2024, Microsoft software engineer Andres Freund was flying home to San Francisco from his native Germany. He’d been doing some micro benchmarking and saw that his system’s sshd processes were using an unusual amount of CPU resources. This in turn was generating a number of errors in Valgrind.
Andres explored further, finding this was caused by error messages centred around liblzma, one of the major components of XZ Utils along with xz itself. The source code for both of these are publicly available via GitHub, as are the associated binaries. XZ Utils can be found in almost every version of Linux, given that it provides lossless data compression.