anuwat meereewee

A new way to sound the alarm about open-source hacks

Recent attempts to sabotage free-to-use software components have a leading developers group working to spread the word about exploits.

The Open Source Security Foundation unveiled a mailing list on Monday to help contributors and end users alert each other about open-source project vulnerabilities being exploited by hackers.

OpenSSF’s Siren is meant to serve as a real-time alert system to email list members by flagging malicious attempts to sabotage code in free and open-access software. It was motivated by attacks on open-source tools earlier this year, including an attempted hijacking of a widely-used Linux file transfer protocol.

The list aims to get security alerts about open-source builds—which underpin some 90% of modern applications—to end users of the tools. Open source security mailing lists have traditionally been used to exchange communications between developers, and the foundation wants to improve “communicating information about exploits efficiently with the broader downstream audience.”

Open-source projects rely on contributions from community members to keep them updated with patches. The updates are discussed on forums with volunteer software maintainers, who chat with one another about proposed changes. 

But traditional community practices have relied on the assumption that all contributors are good samaritans. That notion was challenged in late February when a user named “Jia Tan” tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in companies like Snapchat, Robinhood and Instacart.

Analysts told Nextgov/FCW in April that Jia Tan may have been a collection of nation-state hackers planning a long game to surreptitiously hijack the tooling, with one saying a successful attempt would have given them a “skeleton key” to the internet.

Later that month, OpenSSF and partner foundation OpenJS said they received a series of suspicious emails from users masquerading as code contributors on three open-source Java projects that had attempted a related takeover.

Open source maintainers are often not paid for their work and contribute to security updates of the free-to-use software platforms on their own time. Tempting offers come their way when another supposed maintainer proposes taking over project oversight by convincing administrators to relinquish privileges over their tools. 

But there aren’t standardized, verifiable ways to determine the authenticity or intentions of a purported user. Jia Tan, for instance, carefully uploaded code updates during their tenure as a fake contributor, some seeming to occur during Chinese business hours and other times indicating European.

In another case, one security practitioner previously told Nextgov/FCW their team found a vulnerability in a federal system’s open-source software that interacts with troves of sensitive government data, including with stakeholders tied to the Pentagon. The vulnerability was not lodged in the system’s code, but was, quite literally, the single Russian government employee serving as the maintainer that sent commitments to the system.

Open source code is used everywhere in commercial systems. The 2024 Open Source Security and Risk Analysis Report from Synopsys found open source components in more than 96% of over 1,000 commercial codebases, with 84% containing at least one known vulnerability.

“Now, more than ever, the open source community needs a centralized platform to exchange threat intelligence efficiently,” the foundation said in a blog post, which provided a sign up link for the mailing list. “Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination,” it later adds.