Other Attempts to Take Over Open Source Projects

2 weeks ago AndyC

Other Attempts to Take Over Open Source Projects
After the XZ Utils discovery, people have been examining other open-source projects.

Other Attempts to Take Over Open Source Projects

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[…]

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

The article includes a list of suspicious patterns, and another list of security best practices.

Tags: , ,

Sidebar photo of Bruce Schneier by Joe MacInnis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

More Stories

Ex-NSA employee sentenced to 262 months in prison for attempting to transfer classified documents to Russia

Ex-NSA employee sentenced to 262 months in prison for attempting to transfer classified documents to Russia

7 mins ago AndyC
Cuttlefish targets enterprise-grade SOHO routers

Cuttlefish targets enterprise-grade SOHO routers

7 mins ago AndyC
A flaw in the R programming language could allow code execution

A flaw in the R programming language could allow code execution

7 mins ago AndyC
Thrilled to Share My Experience at RSA 2024! | Dr. Erdal Ozkaya

Thrilled to Share My Experience at RSA 2024! | Dr. Erdal Ozkaya

6 hours ago AndyC
Muddling Meerkat, a mysterious DNS Operation involving China's Great Firewall

Muddling Meerkat, a mysterious DNS Operation involving China’s Great Firewall

6 hours ago AndyC

AI Voice Scam – Schneier on Security

6 hours ago AndyC

You may have missed

Ex-NSA employee sentenced to 262 months in prison for attempting to transfer classified documents to Russia

Ex-NSA employee sentenced to 262 months in prison for attempting to transfer classified documents to Russia

7 mins ago AndyC
Cuttlefish targets enterprise-grade SOHO routers

Cuttlefish targets enterprise-grade SOHO routers

7 mins ago AndyC
A flaw in the R programming language could allow code execution

A flaw in the R programming language could allow code execution

7 mins ago AndyC
Workers with AI skills are getting these pay cash premiums

Workers with AI skills are getting these pay cash premiums

12 mins ago AndyC
Bitcoin Forensic Analysis Uncovers Money Laundering Clusters and Criminal Proceeds

Bitcoin Forensic Analysis Uncovers Money Laundering Clusters and Criminal Proceeds

12 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.