Concerns are rising in the open source community about whether there are organized — and possibly state-linked — threat groups working to exploit the ecosystem for malicious intent.
More uncertainty emerged after the Open Source Security Foundation and the OpenJS Foundation on Monday disclosed a second social engineering incident, where a group with overlapping GitHub accounts sent emails to the OpenJS Foundation Cross Project Council, in an attempt to let them take over a widely used JavaScript project.
The email writers, over about a six month period, sought designation as the new maintainers of the project, despite having little prior involvement there. The activity, which took place prior to the disclosure of the XZ Utils campaign, bore certain similarities and officials have reported the incident to federal authorities, including the Cybersecurity and Infrastructure Security Agency.
“As the investigation is ongoing, we don't yet understand the motivations of the threat actor,” Omkhar Arasaratnam, general manager, OSSF, said via email. “We believe there may be other actors who will try this in the future and as maintainers investigate their projects, we may discover previous attempts that were not attributed.”
Beyond this second social engineering attempt, officials at OpenJS said they recognized suspicious activity involving at least two other widely used JavaScript projects that are not hosted by the foundation.
Some of the overlapping behavior involved contributors trying a little too hard to gain additional access and trust from the maintainers, as well as interactions between multiple “sock puppet” accounts that seemed too well coordinated to involve multiple, unrelated contributors.
“I would say, in this particular instance, it doesn’t feel like they were as clean,” said Brian Fox, co-founder and CTO at Sonatype. “But what I’m seeing from the XZ (attack) they’ve made some mistakes, which made it more obvious on its face that something was fishy.”
Numerous security researchers raised concerns during the XZ Utils social engineering campaign that a state-linked actor might be involved, in part due to the threat activity lasting for many years dating back to 2021.
In addition, the actual backdoor was not discovered until a Microsoft engineer accidentally stumbled open some anomalous activity in late March.
All of this activity has been disclosed to OpenJS leaders and CISA officials.
CISA declined to comment on the new disclosures, but the agency has been working with the open source community to boost resources and improve security as part of a wider effort by federal officials to secure the open source ecosystem.
The disclosure raised larger concerns among individual maintainers and the larger community, according to Jordan Harband, a partner maintainer for Tidelift and a maintainer of hundreds of packages in the Nodejs space.
“I'm very lucky this was caught, we're all very lucky and that this was caught very early and before it made things widely vulnerable,” Harband said via email.
The FBI was not immediately available for comment.
