xz-style Attacks Continue to Target Open-Source Maintainers
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently targeting the Linux xz data compression library, XZ Utils. Many believe the attempt to backdoor Linux’s xz data compression library might not be an isolated incident. According to the OpenJS Foundation and Open Source Security Foundation (OpenSSF), there has been a series of suspicious emails that appear targeted at a popular unnamed JavaScript project that the OpenJS Foundation hosts.
The emails were sent from different names, all with GitHub-associated email addresses, and were constructed around the same theme. The suspected attackers were trying to get themselves added as project maintainers to “address any critical vulnerabilities” but didn’t provide details on these vulnerabilities, which raises suspicion. This approach is similar to how the backdoor was introduced into XZ/liblzma, and as a result, it has been flagged as a potential security danger.
Two other popular JS projects also received similar messages, raising more concern that certain groups of attackers are looking to introduce backdoors into open-source projects. Moreover, OpenJS immediately flagged the potential security concerns to cybersecurity and infrastructure security agencies within the United States Department of Homeland Security (DHS).
