• OpenSSF and OpenJS say that more software projects may have been targeted for sabotage.
  • OpenSSF and OpenJS state that the attempt to insert a secret backdoor into XZ Utils, a little-known program that is baked into Linux operating systems worldwide, may not be an isolated incident.
  • OpenSSF and OpenJS are calling for all open source maintainers to be alert for similar takeover attempts.

In the wake of the recent XZ Utils scare, maintainers of another open source project have come out to say that they may have undergone similar social engineering attacks.

More software may have been targeted for sabotage

The Open Source Security Foundation (OpenSSF) and the OpenJS Foundation, which support multiple JavaScript-based open source software (OSS) projects, have warned that the attempted social engineering against the XZ Utils data compression library in April 2024 may not be a one-time incident.

They stated that at least three separate JavaScript projects were targeted by unidentified persons demanding suspicious modifications or requesting to be designated maintainers of the targeted software.

The JavaScript programming language drives most modern web applications and is widely used worldwide. Omkhar Arasaratnam, the general manager of the Open Source Security Foundation, stated that one of the targeted software alone saw tens of millions of downloads a week.

Also read: SecureBrain joins Hitachi Systems for enhanced cybersecurity

Also read: China accused by UK and US of multiple ‘malicious’ cyber attacks

What to look for

OpenSSF and OpenJS are now warning all open source maintainers to be on the lookout for similar takeover attempts, following the OpenJS Cross Project Council receiving multiple suspicious emails requesting that one of its projects be updated to address critical vulnerabilities without providing any specifics.

OSS project members should be on the lookout for friendly, yet aggressive, and persistent pursuit of maintainer status by new or relatively unknown community members, fresh requests to be raised, and endorsement from other unknown community members who might be scuppet accounts.

Arasaratnam says to pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, and not doing enough for the project might be part of a social engineering attack.