The OpenJS Foundation, which oversees multiple JavaScript projects, thwarted a takeover attempt of at least one project that has echoes of the dangerous backdoor found in versions of the XZ Utils data compression library that failed only because a Microsoft engineer incidentally discovered it.

The malicious code targeting XZ Utils was put together over two years by an unknown bad actor who started by creating a GitHub account and contributing to multiple several open source projects, taking on a larger role with the XZ repository to the point where they could make changes to XZ Utils and sneak in the highly obfuscated backdoor, now tracked as CVE-2024-3094.

The damage the supply chain attack would have wrought if it had gone further would have been significant given how widely used the XZ Utils library is.

The OpenJS Foundation’s Cross Project Council recently received series of suspicious emails pressuring the Foundation to update one of its projects to “address any critical vulnerabilities,” though no details were given. The emails carried “similar messages, bearing different names and overlapping GitHub-associated emails,” Robin Bender Ginn, executive director of the OpenJS Foundation, and Omkhar Arasaratnam, general manager of the Open Source Security Foundation, wrote in a blog post.

“The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement,” Ginn and Arasaratnam wrote. “This approach bears strong resemblance to the manner in which ‘Jia Tan’ positioned themselves in the XZ/liblzma backdoor.”

Jia Tan was the name under which the GitHub account in the XZ Utils incident was opened in 2021, according to a timeline of the threat actor.

Similar Patterns

In addition, OpenJS members also detected similarly suspicious pattern involving two other popular JavaScript projects that aren’t hosed by the Foundation. The security concerns were forwarded to OpenJS leaders as well as CISA and the Homeland Security Department.

None of the people who wrote the emails were given privileged access, according to Ginn and Arasaratnam, who pointed to security policies outlined by the Foundation’s security working group.

“Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a ‘quick fix’ to any problem,” they wrote.

OpenJS and the Linux Foundation said they wanted to warn open source maintainers about the threat.

Ginn and Arasaratnam outlined signs that foundation administrators and developers should look for to ferret out such attacks, including friendly but aggressive and persistent pursuit of maintainers or their foundations by unknown community members, requests to be elevated to maintainer status by such members, endorsements from other unknown members also may be using false identities – also known as “sock puppets” – intentionally obfuscated or difficult-to-understand source code.

Challenges of Maintaining Projects

Ginn and Arasaratnam said the threats like the backdoor to XZ Utils and the more recent one against the OpenJS Foundation highlight the growing threat of supply-chain attacks to the open source community. The growing adoption – and rising number – of open source components in modern software are among the trends helping to drive the increase in supply chain attacks. In a report earlier this year, the Identity Theft Resource Center said that between 2018 and 2023, the number of organizations targeted in such attacks had grown more than 2,600% and the number of victims jumped more than 1,400%.

Ginn and Arasaratnam wrote that the need to sustain a stable and security open source project puts pressure on those maintaining them.

“For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back,” they wrote. “To solve a problem of this scale, we need vast resources and public/private international coordination.”

Some Help on the Way

Some help is coming from open source foundations like OpenJS, adding that “maintainers often lack the time, people and expertise in areas such as security. Neutral foundations help support the business, marketing, legal and operations behind hundreds of open source projects that so many rely upon. … As vendor-neutral nonprofits, we are uniquely positioned to offer expertise garnered from multiple stakeholders represented in our organizations.”

For security, foundations look to provide technical assistance and direct support to projects, they wrote, pointing to Alpha-Omega, a project associated with the OpenSSF and funded by Microsoft, Google, and Amazon that funds critical projects and ecosystems. The OpenJS Foundation has used Alpha-Omega investments for Node.js and jQuery.

They also noted the Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, which also offers funding to the OpenJS Foundation and other open source organizations.

“They have built a model with detailed reporting and accountability of resources, yet at the same time, have technical expertise on staff to customize security proposals for the variety of open source projects they fund,” they wrote.