Recently, specialists in the field of cybersecurity successfully prevented the project on the Openjs platform, which In general terms, the recent incident with Bacdor in the compression utility XZ Utils.
On Monday, April 15, the non-profit organization Openjs Foundation, which is monitoring JavaScript projects used by billions of sites around the world, received a series of suspicious letters. Senders asked to urgently update one of the popular projects to eliminate critical vulnerabilities without specifying details.
Robin Bender Ginn from Openjs and Omkar Arasaratami from Open Source Security Foundation reported that the authors of the letters insisted on the appointment of one of the popular projects (the name is not disclosed), despite the lack of previous experience on it.
Experts noted the similarity of methods with the actions of a hacker named Jia Tan, to whom we had previously devoted separate material. It was Jia Tan, whose personality could be hidden by a whole team of experienced hackers, who had previously managed to introduce Backdor into the XZ Utils utility.
Ginn and Arasaratamy emphasized that none of the contacted ones was given privileged access to the project, as the specialists quickly suspected something was wrong.
According to Chris Hughes from Endor Labs, about a quarter of all projects in the field of cybersecurity have one manager, and 94% of projects have less than ten projects. He noted that the ecosystem of open software is extremely heterogeneous and vulnerable due to global dependence on anonymous and disparate developers.
Officials of CISA, Jack Kabble and Aeva Black, expressed an opinion about the need to review approaches to security in technology. They argue that companies using open software must contribute to the stability of the ecosystem, including financially or at the expense of developers.
Arasaratama also announced Linux Foundation plans for the development of special manuals for managing projects that may encounter aggressive attempts to intercept management. He also emphasized the importance of supporting managers in the struggle against social engineering and manipulations, which can potentially lead to very serious consequences.