Security researchers have uncovered a “credible” takeover attempt against the OpenJS Foundation in a way that evokes similarities to the recently discovered incident targeting the open source project XZ Utils.
“The OpenJS Foundation Cross Project Council has received a suspicious set of emails with similar messages, with different names and overlapping emails associated with GitHub,” the OpenJS Foundation and Open Source Security Foundation (OpenSSF) said in a joint advisory .
According to Robin Bender Ginn, executive director of the OpenJS Foundation, and Omkhar Arasaratnam, general manager of OpenSSF, the emails urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics.
The authors of the email also invited OpenJS to designate them as new maintainers of the project despite having had little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been the recipient of similar activity.
That said, none of the people who contacted OpenJS were granted privileged access to the project hosted by OpenJS.
The incident highlights the method by which XZ Utils’ sole maintainer was targeted by fictitious characters created expressly for what is believed to be a social engineering and pressure campaign designed to make Jia Tan (aka JiaT75) a co-maintainer of the project.
This raised the possibility that the attempt to sabotage XZ Utils may not be an isolated incident and is part of a larger campaign aimed at undermining the security of various projects, the two open source groups said. The names of the JavaScript projects were not disclosed.
Jia Tan, as of now, has no other digital footprints outside of his own contributions, which indicates that the account was invented for the sole purpose of gaining credibility in the open source development community over the years and ultimately inserting a stealthy backdoor in XZ Utils.
It also serves to identify the sophistication and patience that went into planning and executing the campaign by targeting a volunteer-run open source project used in many Linux distributions, putting organizations and users at risk of chain attacks. supply.
The XZ Utils backdoor incident also highlights the “fragility” of the open source ecosystem and the risks created by maintainer burnout, the US Cybersecurity and Infrastructure Security Agency (CISA) said last week.
“The burden of security should not fall on a single open source maintainer, as has happened in this case to near-disastrous effect,” said CISA officials Jack Cable and Aeva Black.
“Every technology maker that profits from open source software must do their part by being a responsible consumer and sustainable contributor to the open source packages on which they depend.”
The agency recommends that technology manufacturers and system operators that incorporate open source components directly support or assist maintainers in periodically checking source code, eliminating entire classes of vulnerabilities, and implementing other security principles until from design.
“These social engineering attacks are exploiting the sense of duty that maintainers have to their project and their community to manipulate them,” Bender Ginn and Arasaratnam said.
“Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. could be part of a social engineering attack.”