xz-style Attacks Continue to Target Open-Source Maintainers
2 - 3 min read
Apr 16, 2024
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently targeting the Linux xz data compression library, XZ Utils. Many believe the attempt to backdoor Linux’s xz data compression library might not be an isolated incident. According to the OpenJS Foundation and Open Source Security Foundation (OpenSSF), there has been a series of suspicious emails that appear targeted at a popular unnamed JavaScript project that the OpenJS Foundation hosts.
What Targeted Threats Have Been Identified Targeting Open-Source Maintainers?
The emails were sent from different names, all with GitHub-associated email addresses, and were constructed around the same theme. The suspected attackers were trying to get themselves added as project maintainers to “address any critical vulnerabilities” but didn’t provide details on these vulnerabilities, which raises suspicion. This approach is similar to how the backdoor was introduced into XZ/liblzma, and as a result, it has been flagged as a potential security danger.
Two other popular JS projects also received similar messages, raising more concern that certain groups of attackers are looking to introduce backdoors into open-source projects. Moreover, OpenJS immediately flagged the potential security concerns to cybersecurity and infrastructure security agencies within the United States Department of Homeland Security (DHS).
This kind of attack is not new, yet it seems an effective way for attackers to infiltrate an open-source project. Therefore, it is critical to note that project maintainers must be extra vigilant and perform rigorous checks when adding contributors as maintainers. According to the article, this attack method utilizes social engineering techniques and exploits a sense of duty that maintainers feel toward their projects to infiltrate them.
What Can Be Done to Combat This Threat?
The attack method exploits the maintainers’ sense of social responsibility to deceive them. As such, promoting technical expertise and sharing knowledge about emerging threats and attack methods is imperative. Additionally, it is necessary to ensure that open-source projects are well-funded and their maintainers are adequately supported. This would serve as a significant deterrent against potential social engineering attacks.
As such, governments and other organizations must allocate resources to help secure the broader open-source ecosystem. Funding for security developers has already had a tremendous effect, for example, the security-focused Alpha-Omega project, which Microsoft, Amazon, and Google support. Germany’s Sovereign Tech Fund aims to support foundations like OpenJS to strengthen infrastructure and security.
Our Final Thoughts on This Attack
This attack is a clear example of how attackers can infiltrate open-source projects by exploiting users’ trust to introduce backdoors. Consequently, we recommend coordinating efforts from different organizations and collaborating globally within the open-source ecosystem. In essence, this will help ensure that open-source developers are better equipped to identify such threats and mitigate them promptly. Therefore, more resources, a coordinated approach, knowledge sharing, and adequate funding are imperative in raising open-source security levels to protect our interconnected open-source projects and shared digital economies.
Related Articles
1 - 0 min read
KDE Issues Warning After Theme Wipes Linux Users
1 - 0 min read
Open Source is Not Insecure, Despite Common Misconceptions
1 - 0 min read
Hacked VMs Reveal New Attack Risks
