Bonsai Unaffected By XZ Compromise
Incident Report for Bonsai
Resolved
Researchers recently discovered a sophisticated attempt to compromise XZ, a compression library that is widely used in Linux-based services across the world. It is suspected that if the compromise had been successful, state actors or other attackers would be able to remotely access many Linux-based machines on the Internet.

Fortunately, the issue was discovered before the compromised version of the library made its way into mainline channels, so the impact is limited to versions 5.6.0 and 5.6.1. [CISA recommends](https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094) users downgrade to XZ Utils 5.4.6 or earlier.

Bonsai's system maintenance policy is to use up to date stable and LTS versions of software, and this policy means that none of our systems are impacted by the compromise. Out of an abundance of caution, we audited every online server in our fleet and verified that none of them is running the compromised versions of XZ Utils.

Bonsai remains committed to the security and integrity of our systems and customers' data. Please direct any additional questions or concerns to support@bonsai.io.
Posted Apr 01, 2024 - 14:00 UTC