Hackers tried to breach, disable widely used open-source Java tools, groups warn

Prominent open source software groups are warning that a recent incident where disguised hackers tried to sneak a vulnerability into a major open-source toolkit may not be a one-time ordeal.

The Open Source Security Foundation and OpenJS Foundation on Monday said that an attempt to insert a backdoor flaw into Linux file transfer tool XZ Utils “may not be an isolated incident” after the institutions detected a similar attempt made against JavaScript projects used in billions of sites around the world.

The institutions, which host forums for users to discuss and contribute to the security of open- source computing tools that can be downloaded and used at no cost, are “calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.”

Open-source projects — which underpin software systems used everywhere — rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers, who chat with one another about proposed changes.

OpenJS said it received a series of suspicious emails and messages from different users masquerading as contributors. The contents of their messages looked similar, and their usernames were tied to a small batch of emails linked to GitHub, a popular platform used by programmers to store, log and share repositories containing code that makes up software. They implored OpenJS to update one of its popular projects to “address any critical vulnerabilities” but did not elaborate on the purported flaws.

No OpenJS builds were compromised in the attempt, the groups said. But the anomalous behavior is similar to when an entity known as “Jia Tan” — who had been contributing to the Linux XZ Utils open source community for over two years — reported a bug March 28, requesting that a version of the software be updated with their malign code tucked inside.

If allowed to propagate, that back door could have rendered the open-source Linux ecosystem ripe for exploitation, and experts recently told Nextgov/FCW that Jia Tan and affiliate phony open-source operatives are likely tied to nation-state hackers that covertly planned the attempt for years.

OpenJS said it also recognized two separate attempts and reported them to the Cybersecurity and Infrastructure Security Agency. The trio of targeted Java projects were not named.

“Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a ‘quick fix’ to any problem,” the foundations said.

The XZ Utils incident highlighted “the fragility of key points in the open source ecosystem” and the risk of maintainer burnout, which can more easily make them susceptible to relinquishing control of sensitive open-source information to potential bad actors, CISA said in a Friday blog post.

“We are fortunate that the open nature of the wider open source ecosystem allowed a developer to spot this supply chain compromise before it could cause much harm. Next time, we may not be as lucky,” the agency added.

Open source code is used everywhere in commercial systems. The 2024 Open Source Security and Risk Analysis Report from Synopsys found open source components in more than 96% of over 1,000 commercial codebases, with 84% containing at least one known vulnerability.