Why I Built Open Source Civil Defense — A Safe Space for Attacked Maintainers
Most of the world's software depends on independent developers. When they get attacked, they're alone. That changes today.
The Problem
In 2024, a backdoor was inserted into the xz compression library — a piece of software used by virtually every Linux system on the planet. The attacker spent over two years building trust in the community before striking. It was discovered by accident, days before it would have been included in major distributions.
This is not an isolated incident.
- event-stream (2018): A popular npm package (2M+ weekly downloads) was transferred to an attacker who injected malware targeting cryptocurrency wallets.
- ua-parser-js (2021): A maintainer account hijacked, crypto-mining malware published to 7M+ weekly downloads.
- MCP tool poisoning (2025-2026): Malicious instructions hidden in AI tool descriptions, turning AI agents into unwitting accomplices.
The pattern is clear: independent developers are the foundation of modern software, and they are the most vulnerable. They don't have security teams. They don't have lawyers. When attacked, they are alone.
What is OSCD?
Open Source Civil Defense (OSCD) is a community hub for independent developers and open source maintainers who are suffering (or have suffered) an attack on their code, account, or infrastructure.
It is NOT:
- A professional incident response service
- Legal advice
- A substitute for GitHub Security
- A guaranteed 24/7 response team
It IS:
- A private, safe space to report attacks
- A community of developers who help each other
- A public knowledge base of documented attack cases
- A coordination platform for incident response
The 3 Pillars
1. Absolute Privacy
When a developer is attacked, the worst thing they can do is announce it publicly. That alerts the attacker and damages their reputation.
OSCD uses a private intake process. Reports are submitted through a private form — never as public GitHub Issues. Details are only seen by trusted community members. Cases are only made public after they are resolved, and only with the victim's explicit consent. All public cases are fully anonymized.
2. Forensic Library
Every resolved case becomes a public resource. The repository launches with 4 documented case studies:
- Case 001: xz utils — The 2024 supply chain backdoor (CVSS 10.0)
- Case 002: event-stream — Maintainer compromise and crypto malware (2018)
- Case 003: ua-parser-js — Account hijack and crypto miner (2021)
- Case 004: MCP tool poisoning — AI agent manipulation through tool descriptions (2025-2026)
Each case includes: timeline, technical analysis, impact assessment, resolution steps, and lessons learned.
3. Legal Shield
OSCD is a voluntary community effort of mutual aid. All support is provided "AS IS", without warranties. This is stated clearly and prominently. By submitting a report, users acknowledge these terms.
How It Works
- Report privately — Fill out a structured form with details about the attack
- Get help — Community members respond and work with you privately
- Resolve — The issue is contained and fixed
- Document (optional) — With your consent, the case is anonymized and published for others to learn from
Who Can Help
Anyone with relevant skills:
- Security researchers
- Experienced developers (code review, audit)
- DevOps / SRE engineers
- Technical writers
- Translators
The Bigger Picture
The open source ecosystem is held together by millions of independent developers. They maintain the libraries, frameworks, and tools that the entire world depends on. When one of them is attacked, the ripple effects can be massive.
OSCD exists because the community should protect its own. Not with corporate bureaucracy, but with direct, honest, mutual aid.
Get Involved
- Repository: github.com/amurlaniakea/open-source-civil-defense
- Report an incident: Private Form
- Author: Sil-MagoPredator-Fenix (Pedro Sordo Martinez)
- License: AGPL-3.0
OSCD is a community project. It is not perfect. But it is necessary.
Top comments (0)