The recent attack on XZ Utils' supply chain was not an isolated incident, but part of a broader social engineering campaign that sought to compromise numerous JavaScript projects, experts warned.
In a joint blog post, OpenSource Security Foundation (OSSF) and OpenJS Foundation said that the OpenJS Foundation Cross Project Council received “a suspicious series of emails,” all similar to each other, and mentioning similar emails associated with GitHub.
In the message, the senders urged OpenJS to update one of its popular JavaScript projects to “address any critical vulnerabilities.” Additionally, they asked to be appointed new maintainers of the projects, something that was apparently done in the attack on the XZ Utils supply chain.
False sense of urgency
Fortunately, the attacks were unsuccessful, the blog adds, since none of these people had privileged access.
Still, maintainers should be wary of “friendly but aggressive and persistent” people who demand maintainer status for different projects, especially people who are relatively unknown members of the community. Even the people who support these people should not be fully trusted, as they are most likely “sock puppets” – people with false identities working towards the same goal.
Finally, attackers will try to establish a false sense of urgency, all so that maintainers will lower their guard and grant them privileged access.
“These social engineering attacks are exploiting the sense of duty that maintainers have to their project and their community in order to manipulate them,” the researchers warn. “Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, not doing enough for the project, etc., could be part of a social engineering attack.”
XZ-utils, a set of data compression libraries and tools used by major Linux distributions, was found vulnerable to CVE-2024-3094. The flaw was introduced in XZ version 5.6.0 by a pseudonymous attacker and also persisted in version 5.6.1. The discovery of the vulnerability prompted the release of Ubuntu 24.04 beta for a week.