XZ Utils might not have been the only sabotage target, open-source foundations warn
The XZ Utils backdoor (CVE-2024-3094) may not have been an isolated incident, according to a joint statement by the Open Source Security Foundation and the OpenJS Foundation.
If you're unaware of the XZ Utils saga, my esteemed colleague, Steven Vaughn-Nichols, covered the story in "This backdoor almost infected Linux everywhere: The XZ Utils close call." In short, a Microsoft engineer discovered that a maintainer of the XZ data compression utility, Jia Tan, inserted a backdoor into the code so that attackers could take over Linux systems.
Also: 7 things even new Linux users can do to better secure the OS
These foundations suggesting there is evidence of similar credible takeover attempts means everyone should pay attention.
The OpenJS Foundation Cross Project Council received a series of suspicious emails that implored OpenJS to update one of its popular JavaScript projects to "address any critical vulnerabilities." The suspicious emails did not offer any specifics, but the author wanted OpenJS to designate them as the new maintainer of the project, which is how Jin Tan inserted his backdoor into XZ.
That project was not the only one targeted, the foundations said. At least two other projects were also targeted. The security risks were immediately flagged.
In the joint statement, the OpenJS Foundation said, "Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source."
The two foundations then listed known suspicious patterns in social engineering takeovers :
- Friendly, yet aggressive pursuit of a maintainer
- Request to be elevated to maintainer status
- An endorsement from other unknown parties
- Pull Requests containing blobs as artifacts
- Intentionally obfuscated or difficult-to-comprehend source code
- Gradual escalation of security issues
- Deviation from typical project compile, build, and deployment practices
- A false sense of urgency
If you (or your project) come across such behavior, make sure to read the OpenSSF Guides as well as CISA's "Avoiding Social Engineering and Phishing Attacks" blog post.