Skip to main content
close search
site logo
Dive Brief

CISA to big tech: After XZ Utils, open source needs your support

The attempted malicious backdoor may have been part of a wider campaign using social engineering techniques, the open source community warned.

Published April 15, 2024
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency is pushing to provide more resources to the open source community in the wake of the malicious attempt to launch a supply chain attack against XZ Utils, the agency said in blog post released Friday
  • The attempted attack calls for a fundamental shift in how open source consumers work with contributors to create a more resilient and secure ecosystem, CISA said, placing the onus on the technology industry to better support the open source community.  
  • “In line with our Secure by Design initiative, the burden of security shouldn’t fall on an individual open source maintainer — as it did in this case to near disastrous effect,” Jack Cable, senior technical adviser, and Aeva Black, section chief of open source software security at CISA, said in the blog post. “Rather, companies consuming open source software must contribute back — either financially or through developer time — to ensure a sustainable ecosystem where open source projects have healthy and diverse maintainer communities that are resilient to burnout.”

Dive Insight:

Security researchers said the attempted supply chain attack against XZ Utils raised profound questions about the burden being placed on the open source community. Open source contributors have long operated with little to no financial compensation and get very few resources from large, wealthy technology firms that benefit greatly from their contributions. 

The suspected threat actor, linked to a Github account @JiaT75, spent years cultivating trust within the open source community and was granted additional access by a maintainer that was experiencing burnout and other issues, according to researchers. 

The Open Source Security Foundation and the Open JS Foundation warned the attempted attack against XZ Utils may not be an isolated incident and there may be other social engineering attempts against the community, in a blog post released Monday.

The Open JS Foundation Cross Project Council received a number of suspicious emails asking them to make changes to a popular JavaScript project and to designate the senders of the emails as the new maintainers. 

The requests bear a number of similarities to the attempts made during the XZ Utils social engineering attempts. 

“We have been investigating the details of this attempt and the associated actions for most of last week,” Brian Fox, co-founder and CTO at Sonatype, said via email. “So while the specifics are not public yet, it is important for projects, foundations and maintainers to be extra vigilant. The techniques and tactics we observe are almost identical to the high pressure campaign that occurred in XZ.”

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell