Security researchers have discovered a “trusted” takeover attempt against the OpenJS Foundation in a manner similar to the recently discovered incident against the open source XZ Utils project.
The OpenJS Foundation and the Open Source Security Foundation (OpenSSF) said in a joint alert: “The OpenJS Foundation Cross-Ad hoc Committee has received a series of suspicious emails containing similar messages, different names, and overlap with GitHub-related emails. .
OpenJS Foundation executive director Robin Bender Ginn and OpenSSF general manager Omkhar Arasaratnam said the emails urged OpenJS to take action to update one of its popular JavaScript projects to fix critical vulnerabilities, but did not provide any specific details.
The email authors also called on OpenJS to designate them as new maintainers of the project, despite their previous minimal involvement. Two other popular JavaScript projects not hosted by OpenJS are said to be involved in similar activities.
That is, no one contacting OpenJS has been granted access to the OpenJS hosting project.
The incident shines a spotlight on the methods by which XZ Utils’ sole maintainer was targeted by fictional characters specifically created as a social engineering and pressure campaign designed to make Jiatan, aka JiaT75, a co-attacker.
The two open source organizations said this suggests that the attempt to compromise XZ Utils may not be an isolated incident, but part of a broader campaign to compromise the security of individual projects. The name of the JavaScript project has not been made public.
As it stands, Jia Tan has no other digital footprint beyond his contributions, suggesting that the account’s sole purpose was to gain credibility with the open source development community over the years and ultimately push a secret backdoor into XZ Utils.
It also looks at open source, volunteer-run projects used in many Linux distributions to find out the complexity and patience behind planning and execution of activities that put organizations and users at risk of supply chain attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said last week that the XZ Utils backdoor incident also highlighted the “fragility” of the open source ecosystem and the risks posed by maintainer burnout.
“The security burden should not fall on a single open source maintainer, and in this case it had near-catastrophic consequences,” said CISA officers Jack Cable and Aeva Black.
“Every technology manufacturer that profits from open source software must do their part to be a responsible consumer and sustainable contributor of the open source software packages they rely on.”
The agency recommends that technology manufacturers and system operators that use open source components should directly or support maintainers to regularly review source code, eliminate entire classes of vulnerabilities, and implement other security design principles.
“These social engineering attacks are exploiting maintainers’ sense of responsibility to their projects and communities to manipulate them,” Bender Ginn and Arasaratnam said.
“Pay attention to how the interaction makes you feel. Interactions that create feelings of self-doubt, inadequacy, not doing enough for the project, etc. may be part of a social engineering attack.”
