GitHub warns Java developers of new malware poisoning NetBeans projects

By Catalin Cimpanu for Zero Day | May 29, 2020 -- 05:00 GMT (22:00 PDT) | Topic: Security NetBeans

techrepublic cheat sheet

● How to become a developer: Salaries, skills, and the best languages to learn GitHub has issued a security alert on Thursday warning about a new malware strain that's been spreading on its site via boobytrapped Java projects. The malware, which GitHub's security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9. GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers. It would scan the victim's workstation for a local NetBeans IDE installation, and proceed to burrow into the developer's other Java projects.

End goal: Install a remote access trojan (RAT)

The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim's computer, looking for sensitive information. GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.

While GitHub says it found only 26 projects uploaded on its platform that contained traces of the Octopus Scanner malware, it believes that many more projects have been infected during the past two years. However, the true purpose of the attack was to place a RAT on the machines of developers working on sensitive projects or inside major software companies, and not necessarily to poison open-source Java projects. The RAT would have given the attacker(s) access to steal confidential information about upcoming tools, proprietary source code, or alter code to enable backdoors in enterprise or other closed-source software.

Other IDEs most likely targeted

"It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today," GitHub's security team said in a report on Thursday. "If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed," GitHub added. "While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend." GitHub did not publish the name of the 26 poisoned projects, but has published details about Octopus Scanner's infection process, so NetBeans users and Java developers can look for signs if their projects have been altered. What's in a name? These DevOps tools come... SEE FULL GALLERY

1- 5of23 NEXT PREV

Security

● KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others ● The rise of the social bandits: How politics, injustice shapes how we view hacktivism ● Best security keys: Hardware two-factor authentication for online protection ● Best security cameras for business: Google Nest, Ring, Scout, and more ● Cyber security 101: Protect your privacy from hackers, spies, and the government ● How to keep connected cars safe from cyber attacks (ZDNet YouTube) ● Top 6 cheap home security devices in 2020 (CNET) ● Cybersecurity best practices: An open letter to end users (TechRepublic)

Join Discussion

Add Your Comment Add Your Comment

More from Catalin Cimpanu

Google How to enable Chrome's secret new Read Later feature

Security Hacker steals $24 million from cryptocurrency service 'Harvest Finance'

Security Adware found in 21 Android apps with more than 7 million downloads

Security Over 100 irrigation systems left exposed online without a password

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.