The recent attack on the XZ Utils supply chain was not an isolated incident, but rather part of a larger social engineering campaign that sought to compromise numerous JavaScript projects, experts have warned.
In a joint blog post, the OpenSource Security Foundation (OSSF) and OpenJS Foundation said that the OpenJS Foundation Cross Project Council received “a suspicious series of emails” all similar to one another, and mentioning similar GitHub-associated emails.
In the message, the senders urged OpenJS to update one of its popular JavaScript projects to “address any critical vulnerabilities”. Furthermore, they asked to be made new maintainers of the projects – something that was apparently done in the XZ Utils supply chain attack.
False sense of urgency
The attacks were, fortunately, not successful, the blog adds, as none of these individuals were given any privileged access.
Still, maintainers should be wary of “friendly yet aggressive and persistent” people demanding maintainer status for different projects – especially people who are relatively unknown members of the community. Even people endorsing such individuals shouldn’t be fully trusted, as they are most likely “sock puppets” – people with fake identities all working towards the same goal.
Finally, the attackers will try to establish a false sense of urgency, all so that the maintainers drop their guard and grant them privileged access.
“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” the researchers warn. “Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.”
XZ-utils, a set of data compression tools and libraries used by major Linux distros, was found vulnerable to CVE-2024-3094. The flaw was introduced to XZ version 5.6.0 by a pseudonymous attacker, and persisted throughout 5.6.1 as well. The discovery of the vulnerability pushed the release of Ubuntu 24.04 beta for a week.