Posted on June 2, 2020 at 5:37 PM
In a recent report, GitHub Security Lab recently disclosed that Octopus Scanner malware has infected twenty-six open-sourced projects hosted on its repositories. The malware can serve weaponized codes to potential developers, the report reveals.
The malware incident has been investigated, and GitHub described it as the first malware of its kind to enumerate and backdoor NetBeans protocols. GitHub says the malware program utilizes both the artifacts and its build process to spread the malware.
A characteristic software supply-chain attack involves stealing typosquatting popular package names or stealing a developer’s credentials. However, this attack was a bit different because it enabled the malware to be very effective in transmission, as the attacked project will be cloned and utilized for other different systems.
As Alvaro Muñoz, a security researcher at GitHub, stated, “It gives the malware an effective means of transmission since the affected projects will presumably get cloned.”
He also said the main artifacts of the build could even spread further, which may be more difficult to track down and different from the original build.
GitHub revealed it was notified about the incident by a security researcher, JJ on March 9.
Those looking after the infiltrated repositories were unaware that the NetBeans open-source projects were sending malware to more users. As a result, GitHub was faced with a challenge to find solutions to delete the malware from the repositories. The malware goes by the name, Octopus Scanner because of its medium of operation.
The open-source portal is very difficult to secure
Keeping an open-source chain is a big task. It takes more than just patching up security flaws of doing a security assessment. The supply chain security deals with the integrity of the entire software delivery and software development ecosystem. And throughout the entire security circle, there are always security concerns and the likelihood of loss of integrity.
The GitHub security team always receives reports of security breach attempts of bad actors taking advantage of GitHub repositories to host malware or use the Github portal as a command and control infrastructure. But for this attack, the operators of the repositories did not know they were committing backdoored codes into their repositories.
Malware is capable of implanting malicious payload
The security team at GitHub gave details about the vulnerable vulnerabilities and described the activities of the “Octopus Scanner” malware.
The team noted that the malware has the capability of spotting NetBeans project files and implanting malicious payload both in the build JAR files and the project files.
The GitHub security team described the malware as being capable of the following:
- Identifying the NetBeans directory of users
- Enumerating all projects within the NetBeans directory
- Modifying the nbproject/build-imp.xml file to ensure the execution of the malicious payload
- Copying malicious payload cache.dat to nbproject/cache.net
Although the C2 servers appear inactive, the infiltrated repositories are still a source of concern and danger to the Github users who could potentially clone and build the projects.
No simple approach to a complete removal of malware
The GitHub security team said it wanted to reach out to the owners of the compromised repositories so they can delete their bnproject/build-impl-xml files and clean up the nbproject/cahse.dat. The team expected this to be the ideal solution to clean up the repositories.
Although it may not clean up any local infections on the developers, it will stop the wider spread of the malware within the GitHub platform. The team said it wanted to make the move before the malware analysis.
But after a deeper analysis of the malware, it realized that the simple steps would still not be enough to solve the problem. That’s because the malware also infiltrated the JAR files in the project.
The open-source supply chain has experienced a couple of attacks in the past few years. There has been a non-stop stream of typosquatting attacks against widely known package managers like PyPI and npm. There have also been hijacks of developer credentials to introduce backdoors, such as the stream incident.