Apr 18, 2024 00:03:00

OpenSSF warns that similar cyber attacks to those on 'XZ Utils' are being targeted at other projects

In April 2024, it was discovered that a malicious backdoor had been installed in the compression tool 'XZ Utils' built into Linux distributions. Open Source Security (OpenSSF), which monitors open source vulnerabilities, and the OpenJS Foundation, which supports the JavaScript ecosystem, have warned that this is not an isolated incident, but may be part of a broader attack that also targets other open source projects, and have called for caution.

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects – Open Source Security Foundation

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

According to the report,

the OpenJS Foundation Cross Project Council received multiple emails requesting that one of its JavaScript projects be updated to address a 'critical vulnerability.' While no specific countermeasures were mentioned, the emails requested that the person who had little involvement in the project be made the new maintainer. The emails have been pointed out to have similarities with the behavior of Jia Tan, the person who installed the backdoor in the 'XZ Utils' incident.

Summary of the timeline leading up to the backdoor attack on XZ Utils - GIGAZINE

Suspicious emails were sent to two other JavaScript projects not hosted by the OpenJS Foundation as well.

As a result, the OpenJS Foundation has reported its security concerns to project leaders and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

As other open source projects may be targeted in the same way as XZ Utils, the OpenJS Foundation recommends taking the following steps to protect your projects:

Use strong authentication, specifically enable two-factor or multi-factor authentication, use a secure password manager, keep recovery codes in a safe place, preferably offline, and do not reuse credentials across different services.
- Establish a security policy that includes an information disclosure process.
Use best practices for merging new code, specifically enabling branch protection and signed commits, and whenever possible having the code reviewed by another developer before merging, even if the pull request comes from the maintainer. Minimize the use of opaque binaries to avoid obfuscating new pull requests. Limit the number of users with npm publishing permissions. Know your committers and maintainers and perform regular reviews.
If you manage an open source package or repository, consider adopting the 'Package Repository Security' principles.