OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

17.04.2024

Security researchers have discovered a “credible” attempt to infiltrate the OpenJS Foundation, reminiscent of a recent incident targeting the open-source XZ Utils project.

“The OpenJS Foundation Cross Project Council received suspicious emails with similar content, originating from different names but sharing GitHub-associated emails,” stated a joint alert from the OpenJS Foundation and the Open Source Security Foundation (OpenSSF).

Robin Bender Ginn, executive director of the OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, revealed that the emails urged the OpenJS Foundation to address critical vulnerabilities in one of its popular JavaScript projects without specifying details. Additionally, the authors of these emails requested to be appointed as new project maintainers despite limited prior involvement. Similar activity was reported targeting two other popular JavaScript projects not hosted by OpenJS.

It’s crucial to note that none of the individuals who contacted OpenJS were granted privileged access to the projects hosted by OpenJS.

This incident sheds light on the tactics used to target the sole maintainer of XZ Utils with fake personas, likely part of a social engineering and pressure campaign aimed at making Jia Tan (aka JiaT75) a co-maintainer of the project.

This raises concerns that the XZ Utils incident might not be an isolated case but rather part of a broader campaign to compromise the security of various projects, as noted by the two open-source organizations. However, the names of the JavaScript projects involved were not disclosed.

Jia Tan’s digital footprint is limited to their contributions, suggesting that the account was created solely to gain credibility within the open-source community over time and ultimately introduce a covert backdoor into XZ Utils.

This underscores the sophistication and patience involved in planning and executing such campaigns, targeting volunteer-run open-source projects like XZ Utils, which are widely used in Linux distributions, posing supply chain attack risks to organizations and users.

The XZ Utils backdoor incident also highlights the vulnerability of the open-source ecosystem and the risks associated with maintainer burnout, as highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week.

“The responsibility for security should not rest solely on individual open-source maintainers, as it did in this case, with almost disastrous consequences,” stated CISA officials Jack Cable and Aeva Black.”