Security News > 2024 > April > New open-source project takeover attacks spotted, stymied

"The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation leaders shared on Monday.

"These emails implored OpenJS to take action to update one of its popular JavaScript projects to 'address any critical vulnerabilities,' yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement."

Robin Bender Ginn, Executive Director at the OpenJS Foundation and Omkhar Arasaratnam, General Manager at the Open Source Security Foundation, noted that the pressure to sustain a stable and secure open-source project creates pressure on maintainers that can easily overwhelm them.

The Linux Foundation family of foundations and similar organizations can help open-source project maintainers/teams with business, marketing, legal and operations problems, they noted, as well as provide technical assistance on security problems.

Be on the lookout for malicious open-source project takeover attempts!

Mike Loukides, VP of Content Strategy for O'Reilly Media, also pointed out that the XZ Utils project takeover was facilitated by the fact that many open-source projects tolerate abusive behavior, which allowed the attacker to badger a maintainer into accepting a corrupted second maintainer.

News URL

https://www.helpnetsecurity.com/2024/04/16/open-source-project-takeover/