The open source community relies on a loyal army of committed developers – but their security practices are putting the whole ecosystem at risk

Insufficient security on individual developer accounts maintaining some of the most popular packages poses a significant threat to the open source community and beyond, according to a report from the Linux Foundation.

The Linux Foundation Census is the third report of its kind looking into the widespread use of free and open source software (FOSS), aggregating data from over 12 million observations of FOSS libraries used in production applications at over 10,000 companies.

The report argued that FOSS has become a critical part of the modern economy, citing estimates that 96% of codebases include FOSS, and as a result the security of the developers maintaining these projects needs to be reassessed.

A significant proportion of the top 500 packages identified in the investigation are hosted under individual developer accounts, according to the Linux Foundation.

The foundation warned that the implications of this fact may not be fully appreciated in the software community.

“The consequences of such heavy reliance upon individual developer accounts must not be discounted. For legal, bureaucratic, and security reasons, individual developers accounts have fewer protections associated with them than organizational accounts in a majority of cases.”

For example, the report noted many individual accounts fail to even have the most basic security protections, like multifactor authentication (MFA), leaving them vulnerable to attack.

In addition, the granularity of permissioning and other publishing controls often found on organizational accounts are lacking on most accounts.

developer accounts are significantly easier to make. Further, a related issue could occur if the individual developer went on a long hiatus, or was hit by the proverbial bus, preventing updates to the code from occurring,” the report added.

Compromised developer accounts pose “significant” threat

The threat posed by lax security is not hypothetical, however, with the report warning that developer account takeovers are increasing in frequency, both on platforms such as GitHub as well as in repositories including PyPI.

One popular method used to infiltrate accounts detailed in the report is backdooring, where hackers insert malicious code into popular packages that give them an easy entry point once the package is installed on systems.

The report cited an example in 2019 an account of a Ruby developer was compromised and used to insert backdoors in eleven packages.

The Linux Foundation noted that while account takeovers remain a significant risk to software security, there are other less obvious issues concerning individual developers maintaining packages that are widely depended upon.

For example, developers that decide to remove or ‘delete’ their projects can cause serious disruption, such as in the case of the ‘left-pad’ package, which left the internet ‘broken’ for several hours after being removed in 2015.

The disgruntled developer responsible for the package removed their code in protest, which broke hundreds of downstream packages that depended on the “seemingly minor piece of code”.

The report also referred to the more recent case of XZ Utils, which it described as an even more serious problem, where a developer intentionally subeverts the software they maintain

In February 2024, a malicious backdoor was introduced into the popular data compression library, used across a number of major Linux distributions that put potentially millions of systems at risk.

The threat actor responsible for the attack, known as Jia Tan, conducted a years-long social engineering campaign to gain the trust of the utility’s original author Lasse Colin using fake GitHub accounts to flood him with requests and pressure him into making Tan a co-maintainer of the project..

It was only due to the keen eye of a Microsoft developer Andres Freund, who spotted the backdoor and reported it to the Openwall Project’s security mailing list, bringing the issue to the attention of a number of major software vendors and preventing the incident from spiralling out of control.

The report concluded that in the context of both security and general risk management, it is critical that developer accounts are better understood and strongly protected.

Moving towards this goal, the Linux Foundation encouraged the use of MFA tokens and also suggested that some individual accounts hosting critical projects should be transitioned to organizational accounts with added layers of security.