2 min

The backdoor in the Linux compression tool xz may not have been an isolated incident, say the Open Source Security Foundation and the OpenJS Foundation in a joint statement. They or their members recently intercepted multiple attempts to infiltrate open-source software projects.

The organizations claim actors targeted at least three different JavaScript projects by asking administrators to include ‘suspicious’ updates, or soliciting to become co-managers of projects.

The two don’t share which software this is about, for security reasons. Still, according to Omkhar Arasaratnam, general manager of the Open Source Security Foundation (OpenSSF), it concerns at least one application downloaded tens of millions of times each week.

Stopped before doing any damage

While it didn’t become clear what the malicious actors hoped to achieve, Arasaratnam says his club stopped the attempt to infiltrate the project ‘before they could get that far’. The suspicion is that, like the xz scenario, the aim was to build backdoors into existing projects.

Both open-source advocacy groups call on all administrators to be extra vigilant about attempts at social engineering. In the case of the xz backdoor, the person or group pressured Linux distributors to include compromised versions by touting new features.

Others -suspected accomplices- urged the tool’s creator to hand over the project because of the scarcity of recent updates. The supposed ‘successor’ had already made several contributions and gained credibility through third-party endorsements.

Quickly recognize manipulation tactics

The two organisations’ statement includes tips for recognizing such manipulation tactics in time. These include friendly but persistent approaches to the administrator by relatively unknown community members or requests by unknown individuals to get administrator status. Also, the use of false identities and pull requests with blobs as artefacts. (e.g., the xz backdoor was a cleverly crafted test suite file unreadable for humans instead of regular source code.)

Other red flags are intentionally hard-to-understand source code and gradually escalating security problems to see if these are noticed. Last but not least, creating a false sense of urgency, thereby capitalizing on an administrator’s sense of responsibility

Both OpenJS and Open Source Security Foundations notified the U.S. government’s cybersecurity watchdog of the infiltration attempts. The latter, incidentally, did not immediately respond.

Read more: xz-Utils available again on GitHub, creator investigates backdoor