Recent cyberattacks targeting the XZ Utils and JavaScript projects have raised concerns about potential takeover attempts in the open-source community. The OpenJS Foundation and Open Source Security Foundation have intercepted suspicious emails requesting the designation of new maintainers with limited prior involvement, reminiscent of previous backdoor incidents. Social engineering tactics have been used to exploit maintainers’ sense of duty and trust, emphasizing the importance of being vigilant and following security best practices. Industry and government support are crucial to bolster critical open-source infrastructure to combat security vulnerabilities effectively. The OpenJS Foundation and OpenSSF are dedicated to fostering a secure environment for the interconnected JavaScript ecosystem.
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/