Hackers are targeting open-source
A Microsoft engineer became suspicious of performance problems while optimizing his code. After digging in, he discovered that a simple data compression library called XZ Utils was creating a secret backdoor. What made this discovery noteworthy is that the innocuous looking compression library is used in tons of open-source projects and Linux distributions.

The analysis of how the code got into XZ utils uncovered a fiendishly sophisticated operation. The XZ utility was understaffed with only one primary maintainer. He was increasingly catching flack for falling behind – an increasing problem with open source projects. An eager developer named Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it. Eventually Tan ascended to being co-maintainer of the project which allowed him to add code without needing the contributions to be approved.
Tan did this by what now appears to be a coordinated set of accounts and discussions that were aimed at installing him as a co-owner. Various accounts appeared and started complaining about the speed of updates, features, and questions. They coordinated questions and complaints as well as contributions by Tan appear to create pressure for the owner to elevate Tan as a co-owner. Whether this was done by one person or several, this mechanism is known as ‘persona management’ – something that’s been proposed as far back as 2010.
“I think the multiple green accounts seeming to coordinate on specific goals at key times fits the pattern of using networks of sock accounts for social engineering that we’ve seen all over social media,” said Molly, the EFF system administrator. “It’s very possible that the rogue dev, hacking group, or state sponsor employed this tactic as part of their plan to introduce the back door. Of course, it’s also possible these are just coincidences.”
The code introduced was sophisticated enough that analysis of its precise functionality and capability is still ongoing.
The National Counterintelligence and Security Center has defined this kind of attack as a ‘supply chain attack’; and open-source projects are particularly susceptible to it.
It’s definitely worth reading the article because these kinds of sophisticated social attacks are obviously now reality.
Articles: