@saagar
Indeed, there is a backup of that git repo here: https://hachyderm.io/@joeyh/112181933627831133

@sahil @saagar

The original is still at https://git.tukaani.org/?p=xz.git;a=log and still has the offending files.

@saagar maybe this was the only way they could think of to take down the tarball on short notice?

@saagar I expect this is a "it's Friday evening, we want to preserve evidence and prevent any further issues from coming up over the weekend, let's take everything down and sort it out on Monday" kind of situation.

The actual git repo is still available at https://git.tukaani.org/ (which includes the payload in the test binary artifacts), and the backdoored tarballs which activate it can be found on the Internet Archive: https://web.archive.org/web/20240329182710/https://github.com/tukaani-project/xz/releases

@saagar yeah I feel lucky to have taken screenshots when I still could. I did not git clone down anything though, haha

@saagar Don't worry, I'm sure none of it got slurped into Copilot...

@saagar I'd also heard the trojan wasn't actually in the git repo but was in a separate patch that was being applied between the "git pull" and "tar" steps of the release process (specifically after running autoconf) - if true the repo they took down would have been clean anyway.

@saagar wait till it turns out this was just one of:
1. A precursor to a new interview take home test for a security company (“Find the vuln”)
2. Someone doing a take home test for a security company (“Insert the vuln”)