17 April 2024

OpenJS Foundation reports attempted supply-chain attacks on JavaScript projects


OpenJS Foundation reports attempted supply-chain attacks on JavaScript projects

The OpenJS Foundation said it uncovered three attempted supply-chain attacks similar to the recent incident involving the popular compression library XZ Utils.

Earlier this month, XZ Utils was found to contain a backdoor (CVE-2024-3094) hidden within binary test files formatted in XZ compression. The backdoor is believed to have been introduced by the individual who goes online as Jia Tan or JiaT75, who has been targeting XZ since April 2022.

The malicious code was found in versions 5.6.0 and 5.6.1 of XZ Utils. The backdoor is not present in the source code found in the Git repository but is introduced in the distributed tarballs.

The OpenJS Foundation revealed that one of its own projects and two other widely used JavaScript projects were targeted in XZ-like social engineering attacks that tried to take over JavaScript projects. The malicious activity was identified and thwarted, the foundation said.

In each instance, unknown individuals attempted to introduce suspicious updates or asked to be made maintainers of the targeted software. The OpenJS Foundation received emails urging the organization to update one of its popular JavaScript projects to “address any critical vulnerabilities,” without providing any details regarding the said flaws.

Despite the attackers' persistence, none were granted privileged access to the projects hosted by the OpenJS Foundation.

The OpenJS team said it reported the incidents to the US Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) for further investigation.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024