By Raphael Satter
WASHINGTON (Reuters) – The recent attempt by an unknown actor to sabotage a widely used software program may have been one of several attempts to subvert key pieces of digital infrastructure across the internet, two open source groups said in an alert published on Monday.
In a joint statement, the Open Source Security Foundation and the OpenJS Foundation said the recent attempt to insert a secret backdoor into XZ Utils – a little-known program that is baked into Linux systems across the world – “may not be an isolated incident.”
They said at least three different JavaScript projects were targeted by unnamed individuals demanding suspicious updates or asking to be made maintainers of the targeted software.
The projects were not identified in the statement, but the OpenJS Foundation supports the development of a host of popular Javascript projects which in turn underpin much of the modern web.
The OpenJS and Open Source Security Foundations said they had warned the U.S. cyberwatchdog agency CISA to the suspected infiltration. CISA did not immediately return a message seeking comment.
(Reporting by Raphael Satter; Editing by Josie Kao)