The Open Source Security Foundation (OpenSSF) and OpenJS Foundation have issued alerts regarding social engineering attacks targeting open-source projects [4] [6] [8].
Description
Following a recent credible takeover attempt on an OpenJS-hosted project, alerts have been issued by the OpenSSF and OpenJS Foundation. This incident [1] [6] [8], reminiscent of the xz Utils backdoor incident (CVE-2024-3094), involved suspicious emails urging immediate updates for JavaScript projects to address critical vulnerabilities [1] [4]. Requests from unknown individuals to become new maintainers despite limited prior involvement were also reported. The OpenJS Foundation Cross Project Council received similar suspicious emails requesting updates without specifying critical vulnerabilities [2] [5] [8], resembling the tactics used in the xz/liblzma backdoor incident. The US Cybersecurity and Infrastructure Security Agency (CISA) has been notified [1] [3] [4] [8], emphasizing the risks of maintainer burnout and the importance of supporting maintainers in auditing source code and implementing secure design principles. No new maintainers were appointed in the recent attempt, and security policies are in place to prevent unauthorized access [5]. Maintainers are advised to be cautious of persistent requests from unknown community members, requests to elevate new individuals to maintainer status [7], and urgent requests lacking specifics [7]. The foundations stress the importance of vigilance and have released indicators of suspicious activity to combat these deceptive tactics. Open-source maintainers are encouraged to implement security measures like Multi-Factor Authentication (MFA) and conduct thorough code reviews to prevent social engineering attacks [8], given the attractiveness of open-source projects on platforms like GitHub to cybercriminals. Chief security advisor Chris Hughes warns of the increasing attempts at social engineering takeovers and underscores the importance of addressing security issues in open-source software. Awareness building and recognizing warning signs are crucial to detect such suspicious activity [9].
Conclusion
The recent social engineering attacks targeting open-source projects highlight the need for increased vigilance and security measures among maintainers. By implementing best practices such as Multi-Factor Authentication and thorough code reviews, the risks of unauthorized access and malicious takeovers can be mitigated. Maintainers must remain cautious of suspicious requests and prioritize the security of their projects. The ongoing efforts to combat deceptive tactics and raise awareness about social engineering attacks are essential in safeguarding the integrity of open-source software.
References
[1] https://www.ihash.eu/2024/04/openjs-foundation-targeted-in-potential-javascript-project-takeover-attempt/
[2] https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/
[3] https://www.csoonline.com/article/2092118/more-open-source-project-takeover-attempts-found-after-xz-utils-attack.html
[4] https://www.infosecurity-magazine.com/news/open-source-xz-utilslike-takeover/
[5] https://vuink.com/post/bcraffs-d-dbet/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects
[6] https://www.computerweekly.com/news/366580938/More-social-engineering-attacks-on-open-source-projects-observed
[7] https://www.helpnetsecurity.com/2024/04/16/open-source-project-takeover/
[8] https://www.hackread.com/openssf-fake-maintainers-target-javascript-projects/
[9] https://www.inkl.com/news/more-threats-against-open-source-software-could-be-coming-soon-experts-warn