The Open Source Security Foundation (OpenSSF), established under the umbrella of the Linux Foundation, has successfully thwarted attempts to gain control over popular open projects, similar to a past incident involving attackers trying to insert a backdoor into the XZ project. In a recent development, individuals with questionable backgrounds, who were previously not involved in the development process, engaged in social engineering tactics to manipulate their way into gaining control over certain open projects.
The attackers targeted members of the OpenJS Foundation Management Council, a neutral platform for collaborative development of open JavaScript projects such as Node.JS, JQuery, Appium, Dojo, Pepha, and Webpack. Through correspondence with several third-party developers with dubious track records in open software, the attackers sought to convince the leadership to update a popular JavaScript project under the OpenJS Foundation’s purview.
The pretext for the update revolved around the necessity to enhance the project’s security against potential vulnerabilities, albeit without providing specific details about the nature of these vulnerabilities. The suspicious developers proposed incorporating their changes into the project, despite their limited previous involvement. Similar suspicious activities aimed at imposing malicious code have been identified in two other popular JavaScript projects not associated with OpenJS, indicating a potentially widespread threat.
Warning signs of malicious intent include overly friendly yet assertive approaches towards community members or project managers, persistent attempts to promote specific code or attain contributor status, and the formation of support groups around fictitious personas who have recently joined the community or have no prior development history.
Developers are advised to exercise caution when reviewing changes by being vigilant for suspicious behaviors, such as requests to merge binary data, cryptic or convoluted code, subtle reductions in security measures to gauge community reactions, and unorthodox alterations to project compilation, assembly, and deployment processes. Timely identification and scrutiny of such activities are crucial in safeguarding the integrity and security of open source projects.