New open-source project takeover attacks spotted, stymied

The OpenJS Foundation has headed off a “credible takeover attempt” similar to the one that resulted in a backdoor getting included in the open-source XZ Utils package by someone who called themselves “Jia Tan”. This malicious maintainer achieved that coveted position after a successful long-tem social engineering campaign aimed at convincing Lasse Collin – the project’s author and primary maintainer – to share the responsibility load associated with keeping the project running smoothly. “The OpenJS … More →

The post …

attacks backdoor called campaign cisa don't miss endor labs engineering foundation hot stuff maintainer malicious openjs foundation open source openssf o'reilly package project social social engineering supply chain attacks takeover tips xz utils