After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[…]

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

The article includes a list of suspicious patterns, and another list of security best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

X.com Automatically Changing Link Text but Not URLs

April 16, 2024 0 Comments 0 tags

Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,”

U.S. sanctions maker of Predator spyware

March 5, 2024 0 Comments 0 tags

The U.S. Treasury Department on Tuesday sanctioned the makers of the notorious Predator spyware, a move that marks an escalation in the Biden administration’s attempts to counter the proliferation and

CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems

February 21, 2024 0 Comments 0 tags

Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines