Manipulation through participation: Social engineering as a security risk in the open source context

In terms of security, open-source projects have at least one distinctive feature: collaborative development is a strength on the one hand, but on the other hand it can also be exploited as a vulnerability through social-engineering attacks. Instead of technical vulnerabilities, these attacks exploit human traits by deceiving people to gain access to information or systems. Our Focus Report 01 (German) therefore deals with measures to reduce the risk of social-engineering attacks and the associated challenges. 

Attacks on infrastructure components


Social engineering is increasingly being used as a method of attack against digital infrastructure. Phishing emails or calls from supposed grandchildren are examples of social engineering in the private sphere. Similar manipulative practices are also increasingly occurring in collaborative software development on platforms such as GitHub, GitLab and Codeberg. Attackers attempt to gain access to projects through lengthy and complex deception manoeuvres in order to inject malicious code. Since the attack on xz-utils, a central FOSS library, in 2024, this topic has been on the security agenda for open-source infrastructure. 

You can find the full report (in German) here; Chapter 2 introduces the topic. 

Levels for countermeasures

For the report, we compiled countermeasures by different parties across different levels:

  • Project level: rules and structures, technical security measures
  • Development platforms: moderation, reputation mechanisms
  • Policy and funding level: legislation, capacity building, and funding programs

The full report (in German) can be found here. Chapter 3 deals with countermeasures.

Voices from the FOSS community and funded projects

To situate these measures within the context of the Prototype Fund and to include perspectives from the FOSS community, we conducted interviews with leads of projects funded by the Prototype Fund and held a workshop at a Chaos Computer Club event.

In addition to technical measures, social factors were highlighted, including:

  • Building trust through in-person meetings
  • Human fallibility
  • Different affected groups along the software supply-chain

The following were identified as key challenges:

  • Structural aspects that make it difficult to defend against social-engineering attacks
  • The need for political and economic will
  • Resource build-up

You can find the full report (in German) here. Feedback from the community and fellows can be found in Chapter 3 as contextual additions.

Considerations for FOSS ecosystems

Social-engineering attacks occur within the complex and social FOSS ecosystems and therefore require security approaches that go beyond formal and procedural measures. Interviews and the workshop show that measures are promising when they take social structures, contributors’ needs, and trust-building into account and help strengthen a healthy ecosystem. At the same time, limited resources and structurally better-funded attackers exacerbate the challenge, making the response to social engineering a delicate balance between openness and security that requires sustainable funding, awareness, and political will to protect digital open-source infrastructure.

You can find the full report (in German) here.

More on the topic of security on our blog

See all

Further resources

Data Security and Informational Self-determination

Under its funding priority of data security, the Prototype Fund supports software that enables the protection of sensitive information. This not only benefits particularly vulnerable groups such as activists and journalists but society as a whole.

View
See all