The Open Source Security Foundation (OpenSSF) and the OpenJS Foundation, which backs multiple JavaScript-based open source software (OSS) projects, have warned that the attempted social engineering observed earlier in April 2024 against the XZ Utils data compression library – may not be an isolated incident.
The XX Utils attack saw a threat actor known as JiaTan infiltrate the XZ Utils project over a multiple-year period, becoming trusted by the project maintainers and contributing legitimate updates to the software before trying to sneak in a backdoor vulnerability, CVE-2024-3094, which could have caused carnage had it not been for the swift actions of an eagle-eyed researcher.
Now, OpenSSF and OpenJS are calling for all open source maintainers to be alert for similar takeover attempts after the OpenJS Cross Project Council received multiple suspicious emails imploring them to update one of its projects to address critical vulnerabilities without citing any specific details.
Robin Bender Ginn, OpenJS Foundation executive director, and Omkhar Arasaratnam, OpenSSF general manager, said that the authors of the emails, which bore different names but came from overlapping GitHub-associated accounts, wanted to be designated as project maintainers despite having little prior involvement, similar to how JiaTan was able to weasel their way into the XZ Utils project.
They added that OpenJS team also became aware of a similar pattern at two other widely-used JavaScript projects that it doesn’t host itself, and has flagged the potential security risk to respective OpenJS leaders, as well as the US cyber security authorities.
“None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundation’s security working group,” wrote Bender Ginn and Arasaratnam in a joint blog post detailing the attack.
“Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a ‘quick fix’ to any problem.
“Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source,” they said.
What to look out for
Among other things, OSS project members should be alert to friendly, yet aggressive and persistent pursuit of maintainer status by any new or relatively unknown community members, new requests to be elevated, and endorsement from other unknown community members, which may potentially be sockpuppet accounts.
Members should also be aware of pull requests (PRs) that contain blobs as artifacts – the XX backdoor was a file that wasn’t human readable, not source code; intentionally obfuscated or hard to understand source code; security issues that seem to escalate slowly – the XZ attack started with a relatively innocuous test amendment; deviation from typical project compile, build and deployment procedures; and a false sense of urgency, particularly if someone appears to be trying to convince a maintainer to bypass a control or speed up a review.
“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” wrote Bender Ginn and Arasaratnam. “Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etcetera, might be part of a social engineering attack.”
Social engineering attacks can be difficult to detect or protect against via programmatic means as they prey on human emotions and trust, so in the short term, it is also important to share as much information about possible suspicious activity as possible, without shame or judgment, so that community members can learn protective strategies.
Chris Hughes, Endor Labs chief security officer and a cyber innovation fellow at the Cybersecurity and Infrastructure Security Agency (CISA), said he was unsurprised to hear about more widespread social engineering attacks against the open source world – moreover given the XZ attack received significant publicity, it is likely that other malicious actors will try similar tactics going forward.
“We can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilising social engineering attacks on them isn’t surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases,” he said.
“If done well by the attackers, it may be difficult for the maintainers to determine which involvement is from those interested in collaborating and contributing to projects versus those with malicious intent.”
More generally, warned Hughes, this poses a massive risk to the open source community in general, with around a quarter of all open source projects having just one maintainer, and 94% less than 10. This risk then carries forward into organisations that use open source software components in their software.
“This raises awareness of the larger issue of how opaque the OSS ecosystem is. Components and projects that run the entire modern digital infrastructure are often maintained by unknown aliases and individuals scattered around the globe. Furthermore, many OSS projects are maintained by a single individual or small group of individuals – often in their spare time as a hobby or passion project and typically without any sort of compensation.
“This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on,” he said.