Flutterby™! : Social Engineering Takeovers of Open Source Projects

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Social Engineering Takeovers of Open Source Projects

2024-04-15 19:10:51.18911+02 by Dan Lyke 2 comments

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[ related topics: Free Software Weblogs Invention and Design ]

comments in ascending chronological order (reverse):

#Comment Re: Social Engineering Takeovers of Open Source Projects made: 2024-04-16 18:17:02.997685+02 by: Definitely Not a Bot

Obviously you let them in. Don't give them the keys, keep them at arm's length, but let our 3-letter agencies spy on them.

#Comment Re: Social Engineering Takeovers of Open Source Projects made: 2024-04-17 18:48:11.419596+02 by: Dan Lyke

Good chance they're agents of "our" 3-letter agencies. Or at least as good a chance as them being agents of other TLAs.

Though "our" TLAs have been pretty subtle in some of their attacks, for instance: How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer