They added that the OpenJS team

relemedf5w023 · Post by **relemedf5w023** » Thu Feb 06, 2025 4:00 am

Robin Bender Ginn, executive director of the OpenJS Foundation, and Omhar Arasaratnam, CEO of OpenSSF, said the authors of the emails, who had different names but sent them from overlapping GitHub accounts, wanted to be appointed as maintainers of the project despite having no previous involvement (similar to how JiaTan managed to infiltrate the XZ Utils project).

also became aware of a similar pattern in two other widely used JavaScript projects that it does not host itself, and reported the potential security risk to the relevant OpenJS executives, as well as government cybersecurity authorities.

"None of these people had privileged access to the OpenJS project. The project has security policies in place, including those developed by the Foundation's Security Working Group," Bender Ginn and Arasaratnam wrote in a joint blog post detailing the attack.

"Open source projects always welcome contributions from anyone, anywhere, but granting someone administrative access to source code as a maintainer requires a higher level of earned trust, and is not given out as a 'quick fix' for any problem," they said. "Together with the Linux Foundation, we want to bring this persistent threat to the attention of all maintainers and offer practical guidance and resources from our broad community of security and open source experts."

What to look out for
Among other things, OSS project participants canada mobile database be alert to friendly but aggressive and persistent requests from new or relatively unknown community members to become maintainers, and to new requests for status upgrades and approvals from other unknown community members who may be sockpuppet accounts.

Community members should also be alert for the following: pull requests (PRs) that contain blobs as artifacts (the XX backdoor was a non-human-readable file, not source code); intentionally obfuscated or hard-to-understand source code; security issues that seem to be slowly escalating (the XZ attack started with a relatively innocuous test patch); deviations from the project's typical compilation, build, and deployment procedures; and a false sense of urgency, especially if someone is trying to convince the maintainer to bypass controls or speed up a review.

“These social engineering attacks exploit the sense of obligation that maintainers have toward their projects and community to manipulate them,” write Bender Ginn and Arasaratnam. “Pay attention to how you feel when interacting. Interactions that make you feel self-doubt, inadequate, not contributing enough to the project, etc. may be part of a social engineering attack.”