Open sourcerers say suspected xz-style attacks continue to target maintainers

Open source groups are warning the community about a wave of ongoing attacks targeting project maintainers similar to those that led to the recent attempted backdooring of a core Linux library.

Higher-ups at the OpenJS Foundation and Open Source Security Foundation (OpenSSF) believe the attempt to plant a backdoor into Linux's xz data compression library "may not be an isolated incident" given their recent observations.

The OpenJS Foundation Cross Project Council, a policy and governance group within the OpenJS Foundation, recently received a series of suspicious emails it believes were an attempt to mess with one of the popular, unnamed JavaScript projects it hosts.

The messages were sent from different names, all with GitHub-associated email addresses, and were all generally constructed around the same theme.

Suspected attackers were trying to get themselves added as project maintainers to "address any critical vulnerabilities," but didn't provide details on what these vulnerabilities were, which already sounds fishy.

"This approach bears strong resemblance to the manner in which 'Jia Tan' positioned themselves in the XZ/liblzma backdoor," said Robin Bender Ginn, executive director at OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF.

Two other popular JS projects, ones that aren't hosted by the OpenJS Foundation, received similar messages too, the open source honchos said.

"The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS)."

Bender Ginn and Arasaratnam blogged about the discoveries to raise awareness of the suspected attacks to the wider open source community, and share known tactics used by potential criminals.

Social engineering signals

Project maintainers should be extra wary of relatively unknown users in the community who request their status be elevated to maintainer. These users might also try to improve their perceived standing in the open source crowd by getting endorsements from other accounts, which could also be using false identities, sometimes known as sock puppets.

The tone of the communications will likely be friendly, but their pursuit of a maintainer or foundation may be aggressive or overly persistent.

If they do manage to worm their way into a project's influential ranks, their code suggestions might provide clues as to their underlying intentions.

A new maintainer's code being intentionally obfuscated or difficult to understand could be a giveaway that they're trying to hide something without being detected. In the case of the xz backdoor, pull requests from Jia Tan contained blobs as artifacts, for example.

"The XZ backdoor was a cleverly crafted file as part of the test suite that wasn't human readable, as opposed to source code," said Bender Ginn and Arasaratnam.

Jia Tan also tried to gradually escalate security issues. Soon after they were able to make commits, they replaced the safe_fprintf() function with fprintf() which at the time seemed fairly innocuous, but in hindsight could have been an early attempt to introduce a character escape vulnerability.

Malicious outsiders may also be observed deviating from the project's typical build and deployment practices. Deviation from norms in any context should be viewed with raised eyebrows, but in open source, it could signal an attacker's intent to introduce malicious payloads into the project.

The typical behavior of phone and email scammers – a false sense of urgency – should be treated with caution too, since the outsider could be trying to force a security review through quickly, which could potentially allow their naughtiness to go undetected.

"These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them," said Bender Ginn and Arasaratnam.

"Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.

"Social engineering attacks like the ones we have witnessed with XZ/liblzma were successfully averted by the OpenJS community. These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering.

"In the short term, clearly and transparently sharing suspicious activity like those we mentioned above will help other communities stay vigilant. Ensuring our maintainers are well supported is the primary deterrent we have against these social engineering attacks."

More resources, fewer problems

In addition to the steps outlined in their blog post on the matter, Bender Ginn and Arasaratnam echoed the oft-cited issues with open source as ones to address to increase the level of security in the wider community.

Small teams or lone developers are behind some of the most widely relied upon projects in the world – often by commercial entities that provide little if anything in return – and as such can't be expected to also be the necessary security talent too.

They pointed to existing funding projects that have already led to various improvements across open source projects, such as the security-focused Alpha-Omega project, which is supported financially by Microsoft, Amazon, and Google.

"The OpenJS Foundation has experienced how funding developers for security has had a proven impact through Alpha-Omega investments in Node.js and jQuery."

The German government has stepped in to offer support to the open source ecosystem through the Sovereign Tech Fund, which aims to support foundations like OpenJS to strengthen infrastructure and security.

"We are advocating for more global public investment in initiatives like the Sovereign Tech Fund to invest in [global] open source... that society depends on, complementary to [existing] private funding," said Bender Ginn and Arasaratnam.

"We recommend that public institutions learn from, adapt, and coordinate with Germany's Sovereign Tech Fund to support our interconnected open source projects and shared digital economies." ®