Attempted hijacking attacks similar to the recent compromise of the XZ Utils data compression project have been averted by OpenJS Foundation researchers, according to The Record, a news site by cybersecurity firm Recorded Future.
Intrusions involved the delivery of several suspicious emails with similar messages that urged OpenJS to make the sender the new maintainer of one of its widely used JavaScript projects to remediate critical security issues, which have not been specified, said researchers. Similar activity observed in two other JavaScript projects has prompted OpenJS to notify the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency.
Such a development indicates the security risks posed by an "incredibly opaque" JavaScript project ecosystem, said Endor Labs Chief Security Advisor and CISA Cyber Innovation Fellow Chris Hughes.
"This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on," said Hughes.
