Apr 19, 2024 - Technology

Open-source developers face a potential social-engineering crisis

Illustration of an infinite, recursive tunnel of laptops.

Illustration: Shoshana Gordon/Axios

A wave of social-engineering attacks targeting open-source software projects is ringing alarm bells across the entire coding community.

Why it matters: The scope of the attacks is still unclear as organizations and open-source project maintainers continue to comb their code for any signs of malicious activity.

Driving the news: The Open Source Security Foundation (OpenSSF) and the OpenJS Foundation issued an alert Monday warning open-source project maintainers that a recent social-engineering attack against a widely used Linux tool "may not be an isolated incident."

  • In the alert, the organizations noted they had thwarted similar attacks targeting three JavaScript projects.

Catch up quick: Earlier this month, Microsoft researcher Andres Freund discovered a backdoor in the latest versions of the XZ Utils compression tool, which runs on Linux-based devices.

  • Freund uncovered the backdoor before most Linux devices had updated to the latest versions, averting a widespread cybersecurity incident.
  • Researchers have linked the malicious backdoor to a GitHub user known as Jia Tan. Some suspect that a group of people — possibly connected to a nation state — ran the account, which had been slowly editing XZ for years.

The intrigue: For years, one person, Lasse Collin, updated XZ in his free time whenever bugs or security vulnerabilities came up.

  • Collin struggled to keep up with the influx of updates XZ needed, noting once that he was dealing with "longterm mental health issues" that made it difficult to prioritize the project.
  • After sending an email urging Collin to let them help out, Tan was eventually given access to the XZ GitHub account.

What they're saying: "People are sort of leaning back in some cases saying, 'Wow, we dodged a bullet,'" Brian Fox, chief technology officer at Sonatype and an OpenSSF board member, told Axios. "But that's the one bullet you know of; you don't know where the other ones are."

Between the lines: The open-source software community is built on trust among coders who actively encourage each other to build upon their projects.

  • This trust can make them even more susceptible to social-engineering attacks than the average employee or corporation.
  • In the weeks since these new attacks were uncovered, much of the community's trust has eroded, Brian Moussalli, malware research team leader at JFrog Security, told Axios.
  • "Everybody realizes that there's a problem in how things have been working so far," Moussalli said.

The big picture: The open-source community is a disparate web of organizations that includes major corporations and individual developers.

  • That means there's often no centralized way to notify all maintainers about threats or even report suspicious activity, Omkhar Arasaratnam, general manager of OpenSSF, told Axios.
  • This can lead to delays in patching and educating the community about known security threats.

Zoom in: The federal government and tech industry have launched several initiatives in recent years to get open-source project maintainers the resources they need to stay on top of security upgrades.

  • But the new social-engineering attacks call for a reevaluation of how volunteer-run, open-source projects are embedded into tech stacks and who maintains them , Arasaratnam said.
  • Officials at the Cybersecurity and Infrastructure Security Agency have said that the "companies consuming open source software" should be the ones contributing back to the ecosystem, whether through their own employee manpower or financially.

What's next: OpenSSF has received more reports about suspicious social-engineering attempts since Monday's alert, Arasaratnam said.

  • OpenSSF is also preparing to launch a centralized system to share details about known security vulnerabilities with the open-source community, he added.
Go deeper