Open Source Summit Europe 2024

The first half of 2024 saw an entirely new category of threat against open source, one that rocked its trust-based system at its core: social engineering takeover attempt of critical open source projects. These attacks uncovered a systemic gap in open source security management. Up until now, the open source community wasn’t thought of as a potential cyber attack target. But when critical open source projects become stepping stones for industrial espionage, ransomware attacks, or cyberwarfare, maintainers need to adopt comparable security practices to those found in target organizations. This creates a unique set of challenges for open source because of its highly distributed nature and volunteer-based model. In this talk we'll do a post-mortem of the social engineering takeover attempt at the OpenJS Foundation. Without revealing confidential information, we'll still be able to outline critical industry gaps uncovered during this attack and suggest ways to meaningfully improving security at scale while preserving the ethos, culture, and diversity of communities that characterize open source.