New open-source project takeover attacks spotted, stymied

The OpenJS Foundation has headed off a “credible takeover attempt” similar to the one that resulted in a backdoor getting included in the open-source XZ Utils package by someone who called themselves “Jia Tan”.

open-source project takeover

This malicious maintainer achieved that coveted position after a successful long-tem social engineering campaign aimed at convincing Lasse Collin – the project’s author and primary maintainer – to share the responsibility load associated with keeping the project running smoothly.

“The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails,” OpenJS Foundation and Open Source Security (OSS) Foundation leaders shared on Monday.

“These emails implored OpenJS to take action to update one of its popular JavaScript projects to ‘address any critical vulnerabilities,’ yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement.”

The OpenJS team also spotted a similar suspicious pattern in two popular JavaScript projects not hosted by the OpenJS Foundation.

A complex problem

The recent accidental discovery of the XZ backdoor has rocked the open-source ecosystem.

And while initial efforts were mostly concentrated on finding out which Linux distros it might have ended up, searching for other potentially maicious commits by “Jia Tan” and searching for clues on who might be behind that online persona, it was immediately clear that a deeper conversation on how to assure the security of open-source projects was in the offing.

One of the weakest rings in the OSS security chain is the small number of trusted developers working on open-source projects that a lot of modern open-source and closed-source/proprietary offerings depend on.

“It is estimated that 25% of all OSS projects have a single maintainer and 94% have less than 10. This means many projects are likely in need of help, so attackers can capitalize on the psychological and social aspects of maintainers to compromise legitimate packages and projects,” commented Chris Hughes, chief security advisor at Endor Labs and Cyber Innovation Fellow at CISA.

“It is also difficult to determine when attackers have been successful and inject malicious code into the projects or components without rigorous examination in many cases. Most organizations are not performing this level of due diligence on the components and projects they use and integrate into their software, not to mention lack transparency into what components their product vendors have integrated into products and which components may be compromised or vulnerable to these types of attacks.”

Robin Bender Ginn, Executive Director at the OpenJS Foundation and Omkhar Arasaratnam, General Manager at the Open Source Security (OSS) Foundation, noted that the pressure to sustain a stable and secure open-source project creates pressure on maintainers that can easily overwhelm them.

They also pointed out that the solution for the problem is complex. The Linux Foundation family of foundations and similar organizations can help open-source project maintainers/teams with business, marketing, legal and operations problems, they noted, as well as provide technical assistance on security problems.

To augment private funding of open-source projects, investments into critical open-source infrastructure by the likes of Germany’s Sovereign Tech Fund should be followed by others.

Previously, CISA has called on every technology manufacturer that profits from open-source software to contribute – either financially or through developer time – “to ensure a sustainable ecosystem where open-source projects have healthy and diverse maintainer communities that are resilient to burnout.”

Be on the lookout for malicious open-source project takeover attempts!

More immediately, though, publicly sharing details about suspicious activity can fortify open-source maintainers against social engineering attacks such as these.

Be suspicious of persistent pursuit of maintainers by relatively unknown members of the community (likely sock puppet accounts), requests to elevate new or unknown persons to mantainer staturs, and requests that create a (false) sense of urgency.

Pull requests containing blobs as artifacts and obfuscated, difficult to understand source code should be carefully reviewed.

The OpenJS and OpenSSF Foundations also urged open-source maintainers to implement a number of security best practices related to authentication, coordinated disclosure of vulnerabilities, merging new code, etc.

Hughes noted that while the OpenSSF makes some solid recommendations (e.g., knowing your committers and maintainers), it is common for folks to operate with pseudonyms and taglines, so it can be hard to distinguish malicious actors from legitimate OSS contributors and enthusiasts.

“This is especially true in cases where they play a long game and perform legitimate code contributions and activity over a long period of time to build a reputation and social capital to make their malicious activities harder to identify when they do carry them out,” he added, and pointed out an even larger issue: the opaqueness of the OSS ecosystem.

“Components and projects that run the entire modern digital infrastructure are often maintained by unknown aliases and individuals scattered around the globe.”

Mike Loukides, VP of Content Strategy for O’Reilly Media, also pointed out that the XZ Utils project takeover was facilitated by the fact that many open-source projects tolerate abusive behavior, which allowed the attacker to badger a maintainer into accepting a corrupted second maintainer.

“Has this happened before? No one knows (yet). Will it happen again? Given that it came so close to working once, almost certainly. Solutions like screening potential maintainers don’t address the real issue. The kind of pressure that the attackers applied was only possible because that kind of abuse is accepted,” he noted.

Don't miss