The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects. (...)
Suspicious patterns in social engineering takeovers: * Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community. * Request to be elevated to maintainer status by new or unknown persons. * Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.” * PRs containing blobs as artifacts. * For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code. * Intentionally obfuscated or difficult to understand source code. * Gradually escalating security issues. * For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice. * Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts. * A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control. These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack. https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/ -- Nelson Ferraz