Open Source Security Alert: Foundations Issue Urgent Warning
Recently, cybersecurity experts successfully thwarted an attempt to hack a project on the OpenJS platform, which bears a striking resemblance to a recent incident involving a backdoor in the XZ Utils compression utility.
On Monday, April 15, the nonprofit OpenJS Foundation, which oversees JavaScript projects used by billions of websites globally, received a series of suspicious emails. The senders urgently requested updates to one of the popular projects to address critical vulnerabilities, without providing detailed information.
Robin Bender Ginn of OpenJS and Omkhar Arasaratnam from the Open Source Security Foundation reported that the authors of the emails insisted on being appointed as new managers of one of the popular projects (whose name has been withheld), despite lacking prior experience with it.
Experts noted that the methods employed resembled those of a hacker known as Jia Tan, who has previously been the subject of our articles. It was Jia Tan, possibly representing a team of skilled hackers, who had earlier managed to implant a backdoor in the XZ Utils tool.
Ginn and Arasaratnam emphasized that none of the individuals who reached out were granted privileged access to the project, as the experts quickly suspected foul play.
According to Chris Hughes of Endor Labs, about a quarter of all projects in cybersecurity are managed by a single individual, and 94% have fewer than ten managers. He highlighted that the open-source software ecosystem is extraordinarily diverse and vulnerable due to global dependence on anonymous and scattered developers.
CISA officials, Jack Cable and Aeva Black, expressed the need to reconsider approaches to security in technology production. They asserted that companies utilizing open-source software should contribute to sustaining the ecosystem’s resilience, whether financially or through developer time.
Arasaratnam also shared plans by the Linux Foundation to develop special guidelines for project managers who might face aggressive attempts to seize control. He further stressed the importance of supporting managers in combating social engineering and manipulation, which could potentially lead to very serious consequences.