Flutterby™! : Social Engineering Takeovers of Open Source Projects

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Social Engineering Takeovers of Open Source Projects

2024-04-15 19:10:51.18911+02 by Dan Lyke 2 comments

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[ related topics: Free Software Weblogs Invention and Design ]

comments in ascending chronological order (reverse):

#Comment Re: Social Engineering Takeovers of Open Source Projects made: 2024-04-16 18:17:02.997685+02 by: Definitely Not a Bot

Obviously you let them in. Don't give them the keys, keep them at arm's length, but let our 3-letter agencies spy on them.

#Comment Re: Social Engineering Takeovers of Open Source Projects made: 2024-04-17 18:48:11.419596+02 by: Dan Lyke

Good chance they're agents of "our" 3-letter agencies. Or at least as good a chance as them being agents of other TLAs.

Though "our" TLAs have been pretty subtle in some of their attacks, for instance: How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer

Add your own comment:

(If anyone ever actually uses Webmention/indie-action to post here, please email me)

Format with:

(You should probably use "Text" mode: URLs will be mostly recognized and linked, _underscore quoted_ text is looked up in a glossary, _underscore quoted_ (http://xyz.pdq) becomes a link, without the link in the parenthesis it becomes a <cite> tag. All <cite>ed text will point to the Flutterby knowledge base. Two enters (ie: a blank line) gets you a new paragraph, special treatment for paragraphs that are manually indented or start with "#" (as in "#include" or "#!/usr/bin/perl"), "/* " or ">" (as in a quoted message) or look like lists, or within a paragraph you can use a number of HTML tags:

p, img, br, hr, a, sub, sup, tt, i, b, h1, h2, h3, h4, h5, h6, cite, em, strong, code, samp, kbd, pre, blockquote, address, ol, dl, ul, dt, dd, li, dir, menu, table, tr, td, th

Comment policy

We will not edit your comments. However, we may delete your comments, or cause them to be hidden behind another link, if we feel they detract from the conversation. Commercial plugs are fine, if they are relevant to the conversation, and if you don't try to pretend to be a consumer. Annoying endorsements will be deleted if you're lucky, if you're not a whole bunch of people smarter and more articulate than you will ridicule you, and we will leave such ridicule in place.

Flutterby™ is a trademark claimed by

Dan Lyke
for the web publications at www.flutterby.com and www.flutterby.net.