Public Service Announcement Re. Salt Typhoon
Published on September 8, 2025 by Benjamin Nickolls
TLDR: The US and its allies have declared a national defense crisis. Critical open source dependencies are an attack vector for state actors. We recommend that you contact your mobile service provider to lock down your account and use biometric-protected passkeys instead of relying solely on SMS as a two-factor authentication solution.
On 27th August The FBI, CISA, NSA, D3C and international partners across Europe, North America, Japan, Australia and other allies released a joint advisory detailing technical guidance for 'network defenders' to identify and defend against an escalating espionage threat posed by state-backed actors, in which sensitive data belonging to millions of people across 80 countries has been stolen, and is now being used to undermine the integrity of global networks.
Details are available at the end of this announcement, but we at Open Source Collective are taking this threat seriously, and we believe you should too.
Open Source Collective is the fiscal host to ~2,500 open source projects. Some of these projects rank amongst the most used and, thus, critical open source 'infrastructure' projects in the world. In the past 18 months, we have seen concerted efforts to infiltrate open source dependencies in 'supply chain attacks' that are designed to undermine economies and extort industries.
The joint advisory and the level of detail it contains give us great concern for the safety and security of some of our member projects. In addition, we have, in the past few days, seen evidence of a repeated, concerted effort to infiltrate Open Source Collective in a way that demonstrates detailed knowledge of our internal management structure, which is in itself indicative of an informed attack.
What we are doing
Effective immediately, our Strategic Director, Ben Nickolls, will assume the additional role of CSO and instigate a review of our policies and practices.
Ben is unusually qualified for this role, holding a Master's Degree in Computer Security, with a special interest in cryptography, cryptanalysis, and protocol verification. He has worked at the UK's National Integrity Centre and as Risk Manager across the entire IT Operations department at BT, the UK's national telecoms provider. He also wrote the security policies at both Open Collective, and Open Source Collective.
Our recommendations to member projects
Our working assumption is that the telecommunications network is compromised. As a result, we recommend that our member projects follow the guidance issued in the joint advisory immediately: specifically, that you contact your mobile provider and establish a passphrase to use when authorising changes to your account.
In addition, we recommend that projects secure their accounts with biometric-protected passkeys. Specifically accounts with access to commit (i.e., GitHub) or distribution (i.e., package managers) wherever possible, and to never rely solely on SMS as a second authentication factor.
Read more
This article by Emil Sayegh in Forbes strikes a good balance between technical detail and legible, human language, making it a solid starting point.
On 27th August The FBI, CISA, NSA, D3C and international partners across Europe, North America, Japan, Australia and other allies released a joint advisory detailing technical guidance for 'network defenders' to identify and defend against an escalating espionage threat posed by state-backed actors, in which sensitive data belonging to millions of people across 80 countries has been stolen, and is now being used to undermine the integrity of global networks.
Details are available at the end of this announcement, but we at Open Source Collective are taking this threat seriously, and we believe you should too.
Open Source Collective is the fiscal host to ~2,500 open source projects. Some of these projects rank amongst the most used and, thus, critical open source 'infrastructure' projects in the world. In the past 18 months, we have seen concerted efforts to infiltrate open source dependencies in 'supply chain attacks' that are designed to undermine economies and extort industries.
The joint advisory and the level of detail it contains give us great concern for the safety and security of some of our member projects. In addition, we have, in the past few days, seen evidence of a repeated, concerted effort to infiltrate Open Source Collective in a way that demonstrates detailed knowledge of our internal management structure, which is in itself indicative of an informed attack.
What we are doing
Effective immediately, our Strategic Director, Ben Nickolls, will assume the additional role of CSO and instigate a review of our policies and practices.
Ben is unusually qualified for this role, holding a Master's Degree in Computer Security, with a special interest in cryptography, cryptanalysis, and protocol verification. He has worked at the UK's National Integrity Centre and as Risk Manager across the entire IT Operations department at BT, the UK's national telecoms provider. He also wrote the security policies at both Open Collective, and Open Source Collective.
Our recommendations to member projects
Our working assumption is that the telecommunications network is compromised. As a result, we recommend that our member projects follow the guidance issued in the joint advisory immediately: specifically, that you contact your mobile provider and establish a passphrase to use when authorising changes to your account.
In addition, we recommend that projects secure their accounts with biometric-protected passkeys. Specifically accounts with access to commit (i.e., GitHub) or distribution (i.e., package managers) wherever possible, and to never rely solely on SMS as a second authentication factor.
Read more
This article by Emil Sayegh in Forbes strikes a good balance between technical detail and legible, human language, making it a solid starting point.
❤️ 1👍️ 3🚀 1