Adrian Johnson
TLDR:
- Attackers attempted to take over the JavaScript project from OpenJS Foundation, similar to a recent incident targeting XZ Utils.
- OpenSSF and OpenJS published a joint alert advising users to secure their open-source projects.
Attackers recently tried to take over the JavaScript project from OpenJS Foundation, which houses JavaScript projects utilized by billions of websites worldwide. This incident, akin to a recent breach targeting XZ Utils, involved a social engineering operation where the attacker gained the project maintainer’s trust over years.
The Open Source Security Foundation (OpenSSF) and OpenJS issued a joint alert regarding a similar credible takeover attempt, urging users to identify developing attack patterns and take necessary precautions to safeguard their open-source projects. The attacker(s) sent suspicious emails requesting to be designated as a new maintainer of the project without prior involvement, mirroring the strategy used in the XZ/liblzma backdoor incident.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the risks posed by such maintainership weaknesses, stating that the incident highlights the fragility of the open-source ecosystem. It is advised to pay attention to interactions that may raise suspicions of social engineering attacks, such as interactions fostering self-doubt or an urgent need to skip controls.
Unusual patterns associated with social engineering takeovers include new community members aggressively seeking maintainer status, requests from unidentified individuals for promotions, endorsement from unidentified community members, and purposefully obscured or challenging source code. OpenSSF recommends following industry-standard security best practices, strong authentication, security policies, and coordinated disclosure for merging new code.
