From the OpenJS Foundation:

The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.

Vigilance is good, and it’s worth heeding the advice and paying attention to the evidence presented here. The XZ Utils backdoor was a smart attack that very nearly caused havoc.

I think it’s also worth pointing out that we know about the exploit because it was in an open source project. Andres Freund was debugging a server resource issue when he uncovered the issue. Because the project — and its downstream client — were open source, he could investigate and find the intrusion.

It’s not clear how this would have panned out if this had been proprietary software: particularly on a team that was resource strapped or moving at speed. The same social engineering exploits that allowed Jia Tan to become a maintainer of the XZ Utils project would also see someone hired as a contractor by a tech team. If I was a nefarious actor who wanted to place an exploit in an important software library, that’s exactly what I’d do: go send someone to join the team as a contractor. While there are mandatory identity verification procedures for full-time employees (which we can certainly argue the pros and cons of), contractors have no such requirements.

I bring this up because all the advice I’ve seen to date has been directed at open source maintainers. Again, this is smart and good and should absolutely be heeded — but there’s a world of other software out there that is also critical infrastructure and which doesn’t enjoy the sunlight of open source projects. This isn’t an open source software problem; it’s a software problem. Everyone should be vigilant, regardless if there are eyes on their source code or not. And perhaps we should be even warier of projects whose code we can’t audit ourselves.