After criminals nearly inserted a backdoor into a key Linux tool, it appears there have been attempts to sabotage other open source projects.

The failed sabotage of the Linux library XZ Utils was probably not an isolated case. Earlier this month it came to light that criminals had inserted a loophole into the popular library. They achieved this by posing as valuable contributors to the open source project for years. The vulnerability was discovered just in time for the tool to be widely adopted.

The Open Source Security Foundation and the OpenJS Foundation now report that they strongly suspect other sabotage attempts using a similar modus operandi. For example, authorities received emails from a developer allegedly concerned about project security. These should contain critical vulnerabilities. The developer in question would solve this if only he could be the maintainer of the project. Criminal Jin Tan used this status to infect XZ Utils.

excuses

At least two projects were targeted by people using a pretext to become supervisors. Both foundations have found a common denominator in dealing with the suspects. Anyone who is confronted with this must exercise restraint. The criminals:

• Visen friendly but determined supervisors
• Take advantage of your carer status yourself
• Do you have recommendations from other (unknown) parties
• Create pull requests with blobs as artifacts
• Deliberately writing source code that is difficult to understand
• Security issues gradually escalate
• Deviate from typical best practices
• Create a sense of urgency

Anyone who encounters such problems in their project can become a victim of a social engineering attack aimed at injecting malicious code. Be alert and understand the message.