Malicious infiltration in open source projects and methods of prevention
Anghel, Mara-Ruxandra (2025)
Kandidaatintyö
2025
School of Engineering Science, Tietotekniikka
Kaikki oikeudet pidätetään.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2025072879661
https://urn.fi/URN:NBN:fi-fe2025072879661
Tiivistelmä
The thesis focuses on how malicious actors gain access to open source projects in order to inject malicious code, factors that make some projects more susceptible to these types of attacks than others, and steps that can be taken to mitigate the risk of successful social engineering-based malicious infiltration attacks.
The research was conducted through a multivocal literature review and multiple case studies of real world incidents including XZ Utils, event-stream, OpenJS, and ESLint.
The findings include both technical solutions, such as reproducible builds, usage of SCA tools and secure authentication, as well as human resource factors that are critical to the security of a project, such as addressing maintainer burnout.
The thesis concludes that both technical measures as well as addressing the human element, particularly through increased support for maintainers, are essential to mitigating the risks of an open source project being successfully attacked.
The research was conducted through a multivocal literature review and multiple case studies of real world incidents including XZ Utils, event-stream, OpenJS, and ESLint.
The findings include both technical solutions, such as reproducible builds, usage of SCA tools and secure authentication, as well as human resource factors that are critical to the security of a project, such as addressing maintainer burnout.
The thesis concludes that both technical measures as well as addressing the human element, particularly through increased support for maintainers, are essential to mitigating the risks of an open source project being successfully attacked.