More threats against open source software could be coming soon, experts warn

XZ Utils flaw was not an isolated incident

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The recent attack on theXZ Utils supply chainwas not an isolated incident, but rather part of a larger social engineering campaign that sought to compromise numerousJavaScript projects, experts have warned.

In a jointblog post, the OpenSource Security Foundation (OSSF) and OpenJS Foundation said that the OpenJS Foundation Cross Project Council received “a suspicious series of emails” all similar to one another, and mentioning similar GitHub-associated emails.

In the message, the senders urged OpenJS to update one of its popular JavaScript projects to “address any critical vulnerabilities”. Furthermore, they asked to be made new maintainers of the projects - something that was apparently done in the XZ Utils supply chain attack.

False sense of urgency

The attacks were, fortunately, not successful, the blog adds, as none of these individuals were given any privileged access.

Still, maintainers should be wary of “friendly yet aggressive and persistent” people demanding maintainer status for different projects - especially people who are relatively unknown members of the community. Even people endorsing such individuals shouldn’t be fully trusted, as they are most likely “sock puppets” - people with fake identities all working towards the same goal.

Finally, the attackers will try to establish a false sense of urgency, all so that the maintainers drop their guard and grant them privileged access.

“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” the researchers warn. “Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

XZ-utils, a set of data compression tools and libraries used by major Linux distros, was found vulnerable to CVE-2024-3094. The flaw was introduced to XZ version 5.6.0 by a pseudonymous attacker, and persisted throughout 5.6.1 as well. The discovery of the vulnerability pushed the release of Ubuntu 24.04 beta for a week.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics