The first commits they make are not to xz, but they are deeply suspicious. Specifically, they open a PR in libarchive: Added error text to warning when untaring with bsdtar. This commit does a little more than it says. It replaces safe_fprint with an unsafe variant, potentially introducing another vulnerability. The code was merged without any discussion, and lives on to this day (patched). libarchive should also be considered compromised until proven otherwise. (View Highlight)
Three days after this email, JiaT75 makes their first commit to xz: Tests: Created tests for hardware functions.. Since this commit, they become a regular contributor to xz (they are currently the second most active). Itâs unclear exactly when they became trusted in this repository. (View Highlight)
2023
JiaT75 merges their first commit on Jan 7 20231, which gives us good indication into when they fully gain trust. (View Highlight)
In July, a PR was opened in oss-fuzz to disable ifunc for fuzzing builds, due to issues introduced by the changes above. This appears to be deliberate to mask the malicious changes that will be introduced soon. (View Highlight)