The OpenJS Foundation has headed off a “credible takeover attempt” similar to the one that resulted in a backdoor getting included in the open-source XZ Utils package by someone who called themselves “Jia Tan”. This malicious maintainer achieved that coveted position after a successful long-tem social engineering campaign aimed at convincing Lasse Collin – the project’s author and primary maintainer – to share the responsibility load associated with keeping the project running smoothly.

Source: Help Net Security