Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently targeting the Linux xz data compression library, XZ Utils [linuxsecurity.com].

  • corvus
    link
    fedilink
    arrow-up
    9
    ·
    8 months ago

    Be prepared for KYC in github. MS would love it.

  • bizdelnick
    link
    fedilink
    arrow-up
    9
    ·
    8 months ago

    Continue? There are no details on attack attempts published, even when they occured.

    • 0nekoneko7@lemmy.worldOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      edit-2
      8 months ago

      read the full article. there it’s mentioned that there were similar attempts on popular OpenJS projects. “The emails were sent from different names, all with GitHub-associated email addresses, and were constructed around the same theme. The suspected attackers were trying to get themselves added as project maintainers to “address any critical vulnerabilities” but didn’t provide details on these vulnerabilities, which raises suspicion.”

      • bizdelnick
        link
        fedilink
        arrow-up
        9
        arrow-down
        1
        ·
        edit-2
        8 months ago

        I have read this. There are no details about attacked projects, mail texts, addresses and github logins, nothing. It’s even impossible to ensure that attack attempts really took place. One may guess they occured before the xz attack disclosure and were performed by different actors because thay seem much more dumb.