Other Attempts to Take Over Open Source Projects
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
[…]
The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).
The article includes a list of suspicious patterns, and another list of security best practices.
Winter • April 18, 2024 7:59 AM
OpenJS could to be the wrong target as there seem to be several developers with visibility involved.
I am more concerned about 1/2 overworked developer projects that are mainly in maintenance mode. These are the developers who do not have the time and resources to do everything “right”, following the OpenSSF guidelines. It is these overextended projects that might be tempted to welcome “new blood” to help them out in a perceived “security emergency”.
XZ was a textbook exemplar of such a target. The fact that the person(s) behind Jian Tan had already been working with the lead developer for a year or more would make it even more difficult to recognize the game plan.