The Open Source Security (OpenSSF) and OpenJS Foundations have called on open source maintainers to look out for takeover attempts, after spotting multiple social engineering attacks reminiscent of the recent xz Utils campaign.
The OpenJS Foundation Cross Project Council claimed in a new blog post that it recently received a series of suspicious emails with similar messages and overlapping GitHub-linked emails, but bearing different names.
Without citing specific details, the messages apparently asked OpenJS to urgently update one of its popular JavaScript projects in order to “address any critical vulnerabilities.” The email author(s) demanded that they be designated as a new maintainer of the project in order to take on this work.
This set alarm bells ringing at the foundation as it drew strong parallels with a similar social engineering tactic employed by ‘Jia Tan’ – the malicious maintainer believed to be responsible for the recently disclosed xz Utils/liblzma backdoor.
OpenJS said it spotted two other similar attempts to infiltrate two separate JavaScript projects, which it referred to the US Cybersecurity and Infrastructure Security Agency (CISA).
OpenJS said it believes the best way to tackle this apparent uptick in attempts to trick the open source community is awareness building. To that end, it released the following warning signs of suspicious activity:
- Friendly but aggressive and persistent pursuit of a maintainer or their foundation or company by relatively unknown ‘members’ of the community
- A request to be elevated to maintainer status by new or unknown persons
- Endorsement that comes from other unknown members of the community who may be using false identities
- Pull requests (PRs) containing blobs as artifacts so they can’t be read by humans (as opposed to source code)
- Intentionally obfuscated or difficult to understand source code
- Gradually escalating security issues designed to slip malicious activity under the radar
- Deviation from typical project compile, build and deployment practices to enable the insertion of external malicious payloads into blobs, zips or other binary artifacts
- A false sense of urgency to force a maintainer to reduce the thoroughness of a review or bypass a control
A Major Threat to Open Source
Chris Hughes, chief security advisor at Endor Labs, warned that these attacks pose a huge threat to the open source and software community – and that many attempts to infiltrate projects may already have been successful. It’s known that Jia Tan was working on projects other than xz Utils, for example.
“Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilizing social engineering attacks on them isn’t surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases,” Hughes continued.
“If done well by the attackers, it may be difficult for the maintainers to determine which involvement is from those interested in collaborating and contributing to projects versus those with malicious intent.”