The OpenJS Foundation said it uncovered three attempted supply-chain attacks similar to the recent incident involving the popular compression library XZ Utils.

Earlier this month, XZ Utils was found to contain a backdoor (CVE-2024-3094) hidden within binary test files formatted in XZ compression. The backdoor is believed to have been introduced by the individual who goes online as Jia Tan or JiaT75, who has been targeting XZ since April 2022.

The malicious code was found in versions 5.6.0 and 5.6.1 of XZ Utils. The backdoor is not present in the source code found in the Git repository but is introduced in the distributed tarballs.

The OpenJS Foundation revealed that one of its own projects and two other widely used JavaScript projects were targeted in XZ-like social engineering attacks that tried to take over JavaScript projects. The malicious activity was identified and thwarted, the foundation said.

In each instance, unknown individuals attempted to introduce suspicious updates or asked to be made maintainers of the targeted software. The OpenJS Foundation received emails urging the organization to update one of its popular JavaScript projects to “address any critical vulnerabilities,” without providing any details regarding the said flaws.

Despite the attackers' persistence, none were granted privileged access to the projects hosted by the OpenJS Foundation.

The OpenJS team said it reported the incidents to the US Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) for further investigation.