Fears over copycat XZ-style attacks mount as open source devs targeted with suspicious emails

A close up of a green metal door fitted with an unlocked padlock
(Image credit: Getty Images)

A recent attempt to insert a backdoor in a widely used open source software project was not a one-off, as other similar attempts to meddle with open source projects have now been discovered.

Last month a mysterious backdoor was discovered in the XZ Utils library, included in many Linux distributions. Attackers with knowledge of the flaw could have gained unauthorized remote access to Linux systems that used the library.

While it is still unclear who introduced the backdoor, which was found before it could spread very far into Linux distributions, it appears to have been a sophisticated attempt to embed a serious flaw into software used on millions of systems.

Now the OpenJS Foundation, home to JavaScript projects used on many websites, has identified what it said was a similar “credible” takeover attempt of another project - and perhaps two others.

The OpenJS Foundation Cross Project Council said it had received a series of suspicious emails with similar messages, from senders with different names but “overlapping” GitHub-associated emails.

These messages asked OpenJS to update a popular JavaScript projects to “address any critical vulnerabilities”, without going into details.

The sender of the emails asked OpenJS to add them as a new maintainer of the project, despite having little prior involvement. OpenJS said none of these individuals have been given privileged access to the OpenJS-hosted project.

“This approach bears strong resemblance to the manner in which ‘Jia Tan’ positioned themselves in the XZ/liblzma backdoor,” wrote Robin Bender Ginn, executive director of the OpenJS Foundation and Omkhar Arasaratnam, general manager at the Open Source Security Foundation (OpenSSF).

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects, neither of which were hosted by its foundation. It has raised these potential security concerns with the US Cybersecurity and Infrastructure Security Agency (CISA).

“Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a ‘quick fix’’ to any problem,” the execs said.

The OpenJS Foundation and the OpenSSF has now warned all open source maintainers to be alert to social engineering takeover attempts, and to look out for the early signs of phishing. They have compiled a list of suspicious patterns in social engineering takeovers, which could include:

  • Friendly yet aggressive and persistent pursuit of maintainer or their foundation or company by relatively unknown members of the community
  • Request to be upgraded to maintainer status by new or unknown persons
  • Endorsement coming from other unknown members of the community who may also be using false identities, AKA “sock puppets"
  • Pull requests containing blobs as artifacts. For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, the open source groups said
  • Intentionally obfuscated or difficult to understand source code
  • Gradually escalating security issues: for example, the XZ issue started off with a relatively innocuous replacement to see who would notice
  • Deviation from typical project compile, build, and deployment practices which could allow malicious payloads into blobs, zips, or other binary artifacts
  • A false sense of urgency, especially if this forces a maintainer to reduce the thoroughness of a review or bypass a control

The open source groups said these social engineering attacks are exploiting the sense of duty that maintainers have towards their projects and community.

Conversations that create self-doubt, feelings of inadequacy, or of not doing enough for the project might be part of a social engineering attack, they said. “These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering".

There are also steps to take to improve the overall security of open source projects, such as enable two-factor or multifactor authentication, using a secure password manager and having a security policy including a “coordinated disclosure” process for reports.

Open source projects should if possible, have a second developer conduct code reviews before merging, even when the request comes from a maintainer. Project leaders should know their committers and maintainers, and do a regular review.

Open source developers under pressure

While these steps might stop social engineering attacks in the short term, they don’t address the longer term problem, which is that open source maintainers need more support.


“The pressure to sustain a stable and secure open source project creates pressure on maintainers. For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back,” the Foundation added.

There are a few initiatives aimed at supporting these small projects which underpin big parts of the internet – for example Alpha-Omega, an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, funds critical projects and ecosystems. The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is providing open source organizations funding to strengthen infrastructure and security.

“We are advocating for more global public investment in initiatives like the Sovereign Tech Fund to invest in open source global that society depends on, complimentary to private funding,” the two open source bodies said.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.