The recent attempted XZ Utils attack may not be an isolated incident, and project maintainers are urged to watch for unusual activity, according to the Open Source Security (OpenSSF) and OpenJS Foundations.

In a recent blog post, the foundations jointly called upon “all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.”

In collaboration with the Linux Foundation, the group have put together a list of warning signs to help maintainers and others detect suspicious patterns, including:

• Requests to be elevated to maintainer status by new or unknown persons
• Endorsement coming from other unknown members of the community who may also be using false identities
• Pull requests containing blobs as artifacts
• Intentionally obfuscated or difficult to understand source code
• Deviation from typical project compile, build, and deployment practices

They also offer guidelines to help secure your open source project, including:

• Use strong authentication practices, such as:
  • Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
  • Use a secure password manager.
  • Preserve your recovery codes in a safe, preferably offline place.
  • Do not reuse credentials/passwords across different services.
• Have a security policy including a “coordinated disclosure” process for reports.
• Review resources such as “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.

Learn more from OpenSSF.