Researchers stop ‘credible takeover attempt’ similar to XZ Utils backdoor incident

Security researchers have stopped a “credible” takeover attempt reminiscent of the recent XZ Utils backdoor incident — further highlighting the urgent need to address weaknesses in the management of open source software. 

Researchers at the OpenJS Foundation — which monitors JavaScript projects used by billions of websites worldwide — said Monday that they “received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails.”

These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics, they said. 

“The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement,” said OpenJS Foundation Executive Director Robin Bender Ginn and Open Source Security Foundation (OpenSSF) General Manager Omkhar Arasaratnam.

The experts said the approach resembled the way a threat actor going by the name “Jia Tan” managed to infiltrate the XZ Utils data compression project — which caused alarm among cybersecurity defenders due to the sophistication of the inserted code and the significant effort put into the operation. In that situation, malicious actors preyed on an exhausted maintainer to get access to the project.

Ginn and Arasaratnam said none of the people who contacted OpenJS were given privileged access to the OpenJS-hosted project, which has security policies in place, including those outlined by the Foundation’s security working group.

They view the attempt as another example of why open source maintainers need to stay on high alert for social engineering takeover attempts. 

The researchers’ post adds that the OpenJS team discovered two other popular JavaScript projects seeing suspicious patterns, and immediately flagged the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security. 

Chris Hughes — chief security advisor at open source security company Endor Labs and a Cyber Innovation Fellow at CISA — said an estimated one-quarter of all open source security projects have a single maintainer and 94% have fewer than 10.

Hughes also noted that the ecosystem is incredibly opaque, with components and projects critical  to modern digital infrastructure often maintained by unknown aliases and individuals scattered around the globe. 

“This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on,” he said. 

A fundamental shift 

The XZ Utils backdoor situation has raised concerns among security experts about a range of issues connected to open source projects. The maintainer of the project was cajoled into handing over access and responsibility for the project over months before a backdoor was quietly inserted into the code. 

A prominent Microsoft researcher happened to discover the issue, allowing the backdoor to be removed before it could ever be used in attacks.

CISA officials Jack Cable and Aeva Black said in a blog post on Friday that the incident “highlights a fundamental shift needed: every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on.”

“The burden of security shouldn’t fall on an individual open source maintainer — as it did in this case to near-disastrous effect. Rather, companies consuming open source software must contribute back – either financially or through developer time – to ensure a sustainable ecosystem where open source projects have healthy and diverse maintainer communities that are resilient to burnout,” they wrote. 

Technology manufacturers that incorporate open source software should “work to ensure — either directly or by supporting maintainers — that a secure by design software development approach is being followed.”

CISA urged companies to conduct regular code reviews, use security scanning tools, isolate build environments and have documented processes for responding to vulnerability reports and security incidents.

They noted that in addition to the first Open Source Software Security Summit held last month, the agency has been working with the open source community to create a “more resilient open source ecosystem so that organizations across the world can continue to reap the countless benefits of open source software.” 

CISA and others are still working to better understand the impact of the XZ Utils compromise, they said.

Ginn and Arasaratnam are working with the Linux Foundation to release guidelines and measures maintainers should take when approached by aggressive people interested in taking over open source projects. 

Granting someone administrative access to source code as a maintainer “requires a higher level of earned trust, and it is not given away as a ‘quick fix’ to any problem,” they explained. 

Maintainers should also be wary of people with endorsements coming from unknown members of the community and of a manufactured “sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.”

The XZ Utils attacker allegedly used other fake accounts to push the maintainer to hand over the project and to vouch for their ability to run it unilaterally. 

“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them. Pay attention to how interactions make you feel,” they said.  

“Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack… These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering.”

They added that ensuring maintainers are well supported “is the primary deterrent we have against these social engineering attacks.”

Project retirement homes

OpenSSF’s Arasaratnam told Recorded Future News that the cybersecurity community needs to pay closer attention to broadly used open source software with a fragile governance structure — typically projects that only have one maintainer or have maintainers who are overworked and need help. 

The community also needs to be better prepared for issues that arise by having a more robust detection and incident response process, he explained. 

Maintainer burnout is real, he said, noting that some are unprepared for their project to be broadly adopted across the planet. 

“Some maintainers need financial support, and others require more trustworthy engineers to work on the projects. Some may not want to maintain a project that ends up part of critical infrastructure. We should be receptive to tailoring our support as required by the maintainer,” Arasaratnam said. 

Chainguard CEO Dan Lorenc said the problem can often become complicated because it would not be appropriate for large companies that use these open source tools to simply take over projects from researchers. 

But Lorenc floated a kind of “retirement home” for open source projects that maintainers can no longer take care of. 

“If there was a program where they could have just said, ‘Alright, we're putting this in maintenance mode. We're putting this in a retirement home, here you go,’ and hand the keys off to a group of people everyone knows and can trust and are good at that kind of work,” he said. 

“I think that would be a scalable solution for a lot of the industry. It's not going to solve it completely because a lot of people still wouldn't want to hand it off.”

Arasaratnam noted that OpenSSF has a project called Alpha-Omega that provides grants for major projects that need help completing critical security work (Alpha) and which address entire classes of open source vulnerabilities (Omega). 

There are also government-led initiatives that address sustainable funding for open source projects, including the German government's work in the Sovereign Tech Fund. 

But he expressed concerns about the retirement home idea, wondering how developers would be vetted.

“My primary concern would be a malicious actor joining the clearinghouse/orphanage and conducting a similar attack on a much larger scale,” Arasaratnam said. 

“One of the other complexities of this approach is funding. The open source community isn't homogenous. Many different people have different points of view on the ethics of who should provide funding, whether it be the private sector, public sector, or through private donations.”

While it is unclear who was behind the Jia Tan account or the larger backdoor effort, many believe its sophistication points to a state-backed actor. If accurate, Arasaratnam said it is difficult to imagine how a single maintainer could defend against a nation-state. 

“Nation-state problems need to be resolved at the nation-state level,” he said. 

“There is still work to be done to determine how and if the community and public sector may work together on these efforts.”