IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub’s open source supply chain hit by Octopus Scanner malware

Hackers target developers by abusing build processes to infect files that spread between NetBeans projects

Several GitHub projects related to the NetBeans Java software were recently infected with sophisticated malware that carved backdoors and infected files with a payload.

Dubbed Octopus Scanner, the malware affected the supply chain in such a way that it abused the build process and caused its resulting artifacts to spread, with affected projects likely to get cloned, forked and used by many different systems. 

Once it infected a user, the malware conducted a search for evidence that the NetBeans integrated development environments (IDE) was in use on the developer system. If not, it would move on, but if so, it would backdoor the NetBeans project.

Octopus Scanner would ensure that every time a project was built, Java Archive (JAR) files got infected with a dropper, which drops something to the filesystem to execute.

The payload ensured local system persistence and would then spawn a remote administration tool (RAT) which connected to a set of command and control (C2) servers. It would also prevent any new project builds from replacing the infected one to ensure that malicious build's artifacts remained in place. There were 26 repositories affected in total.

“Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets,” said GitHub security researcher Alvaro Muñoz. “There is a huge potential for escalation of access, which is a core attacker objective in most cases.”

“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today. If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.”

The GitHub Security Lab was tipped off by an independent security researcher who warned that several GitHub-hosted repositories were actively serving malware, presumably unintentionally. A subsequent deep-dive showed that it was indeed malware designed to enumerate and backdoor NetBeans projects.

While infecting build processes is not an original idea, Muñoz continued, being actively deployed and used in the wild is a disturbing trend. GitHub has seen many cases where the open source supply chain has been compromised by hijacking developer credentials, for example, but none quite like Octopus Scanner.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Google Russia files for bankruptcy, ends operations in the country
Business operations

Google Russia files for bankruptcy, ends operations in the country

19 May 2022