Different Makes an attempt to Take Over Open Supply Initiatives
After the XZ Utils discovery, folks have been analyzing different open-source initiatives. Shocking nobody, the incident shouldn’t be distinctive:
The OpenJS Basis Cross Undertaking Council acquired a suspicious sequence of emails with related messages, bearing totally different names and overlapping GitHub-associated emails. These emails implored OpenJS to take motion to replace one in every of its common JavaScript initiatives to “tackle any vital vulnerabilities,” but cited no specifics. The e-mail creator(s) needed OpenJS to designate them as a brand new maintainer of the challenge regardless of having little prior involvement. This strategy bears sturdy resemblance to the style during which “Jia Tan” positioned themselves within the XZ/liblzma backdoor.
[…]
The OpenJS crew additionally acknowledged an identical suspicious sample in two different common JavaScript initiatives not hosted by its Basis, and instantly flagged the potential safety issues to respective OpenJS leaders, and the Cybersecurity and Infrastructure Safety Company (CISA) inside the USA Division of Homeland Safety (DHS).
The article features a checklist of suspicious patterns, and one other checklist of safety finest practices.
Posted on April 18, 2024 at 7:06 AM •
10 Feedback
Sidebar photograph of Bruce Schneier by Joe MacInnis.