Summary:
The OpenSSF and OpenJS Foundations have issued a warning to open source maintainers regarding a series of social engineering attacks reminiscent of the xz Utils campaign. These attacks involve suspicious emails sent to the OpenJS Foundation Cross Project Council, requesting urgent updates to popular JavaScript projects under the pretext of addressing critical vulnerabilities. The emails demand that the senders be appointed as new maintainers to handle these updates.

To raise awareness within the open source community, OpenJS released warning signs of suspicious activity. These include aggressive pursuit by relatively unknown community members, requests for elevation to maintainer status by new or unknown individuals, endorsements from dubious sources using false identities, unreadable pull requests containing blobs instead of source code, intentionally obfuscated code, and an increase in security issues to slip malicious activity under the radar. They also noted deviations from standard project practices to insert external malicious payloads and a false sense of urgency to bypass thorough review processes.

Security Officer Comments:
Endor Labs, emphasized the severity of these attacks, highlighting the underfunded nature of many open source projects and the vulnerability of maintainers to social engineering tactics. He warned that these attacks pose a significant threat to the open source and software community, as malicious actors may already have successfully infiltrated projects by exploiting the pressures and limitations faced by maintainers.

Suggested Corrections: