There’s a new form of attack that has found its way into GitHub. This attack, dubbed Octopus Scanner, infects a developer’s tools, which could then infect all the projects that developer is working on.
That’s significant because the malware doesn’t just target an application, it targets the entire supply chain — from development to delivery. So instead of malicious code having to be injected into numerous events along the chain, Octopus Scanner only needs to target the top.
This new attack was first discovered on March 9, when GitHub received a message from a security researcher regarding GitHub repositories that were actively serving malware. As soon as GitHub dug into this matter, they discovered something they’d never seen before — malware designed to enumerate and backdoor its way into Apache NetBeans projects. This malware then uses the build process (and its resulting artifacts) to spread itself.
Very quickly, GitHub discovered 26 open source projects that had been compromised by the malware and were serving up backdoored code.
The Octopus Scanner process function like so:
- It first identifies the targeted user’s NetBeans directory.
- Once identified, it enumerates all projects within the NetBeans directory.
- The malware then copies its malicious payload (cache.dat) into nbproject/cache.dat.
- The cache.dat is then modified to ensure the malicious payload is executed every time the NetBeans project is built.
- If the malicious payload is an instance of the Octopus Scanner, the newly built JAR file is then infected.
- Once infected, the Malware would then search for indications the NetBeans IDE was being used by the targeted developer.
- If the NetBeans IDE was in use, Octopus Scanner would backdoor all NetBeans project builds and attempt to prevent any new project builds from replacing the infected build.
This malware is made worse, because multiple developers may be downloading the infected project, which then infects the IDEs on their machines. So those 26 projects could quickly turn into hundreds, if not thousands, of infected IDEs… which would in turn create infected builds.
Although this isn’t the first time GitHub has dealt with people using repositories to distribute malware, it is certainly one of the first instances of something targeting an OSS supply chain. What makes this even more challenging is that, under usual circumstances, GitHub would just shut the compromised repositories down. However, in this instance, the maintainers of the repositories had no idea they were infected. And because the projects were legitimate, blocking the repositories would have a negative impact on their business. To further complicate matters, these developers might well have access to additional projects, so escalation becomes a serious consideration.
At the moment, GitHub has no idea who was behind Octopus Scanner. What they do know, however, is that this particular attack has been in circulation since 2018.