OpenJS Foundation Targets Potential Attempt to Takeover JavaScript Project

Apr 16, 2024NewsroomSupply Chain / Software Security

JavaScript project

Security researchers have discovered a “plausible” takeover attempt targeting the OpenJS Foundation in a way that evokes similarities to a recently discovered incident targeting the open-source XZ Utils project.

“The OpenJS Foundation Cross Project Council has received a suspicious series of emails with similar messages, bearing different names and overlapping emails related to GitHub,” OpenJS Foundation and Open Source Security Foundation (OpenSSF ) SAYS in a joint alert.

According to Robin Bender Ginn, executive director of the OpenJS Foundation, and Omkhar Arasaratnam, general manager of OpenSSF, the email messages urged OpenJS to take action to update one of the popular JavaScript projects to recover the critical vulnerability without providing any details.


The author(s) of the email also called on OpenJS to appoint them as a new maintainer of the project albeit with minimal involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to be on the receiving end of the same event.

As such, none of the people contacted by OpenJS are given privileged access to the OpenJS-hosted project.

The incident brought into sharp focus the manner in which the sole maintainer of XZ Utils was targeted by fictitious personas apparently created for what was believed to be a social engineering-cum-pressure campaign designed to implicate Jia Tan (aka JiaT75) who is a co-manager of the project.

This raises the possibility that the attempt to sabotage XZ Utils may not be an isolated incident and is part of a wider campaign to undermine the security of various projects, the two open source groups said. The names of the JavaScript projects are not disclosed.

Jia Tan, as it stands, has no other digital footprints outside of their contributions, indicating that the account was invented for the sole purpose of gaining credibility in the open-source development community over the years and in finally pushed a hidden backdoor into XZ Utils.

It also serves to demonstrate the finesse and patience behind the planning and execution of the campaign by targeting an open source, volunteer-run project used by many Linux distributions, which puts the organizations and users at risk of supply chain attacks.

The XZ Utils backdoor incident also highlights the “fragility” of the open-source ecosystem and the risks posed by maintainer burnout, the US Cybersecurity and Infrastructure Security Agency (CISA) said last week.

“The burden of security should not fall on an individual open-source maintainer – as in this case of near-destructive effect,” CISA officials Jack Cable and Aeva Black SAYS.


“Every technology manufacturer that profits from open source software needs to do their part by being responsible consumers and sustainable contributors to the open source packages they rely on.”

The agency recommends that technology manufacturers and system operators that include open source components should directly or support those maintaining the current source code audits, eliminating all types of vulnerabilities. , and implementing other safe by design principles.

“These social engineering attacks take advantage of the sense of duty that maintainers have in their project and community to manipulate them,” said Bender Ginn and Arasaratnam.

“Pay attention to how you feel in interactions. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. can be part of a social engineering attack .”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment