Show vulnerabilities with patch / with exploit
1 June 2020

Octopus Scanner malware compromises open source projects in a massive GitHub supply chain attack


Octopus Scanner malware compromises open source projects in a massive GitHub supply chain attack

GitHub’s Security Incident Response Team (SIRT) has warned of a malware campaign that has been spreading on GitHub via compromised Java projects. The existence of the campaign has come to light in early March, when a security researcher has contacted the team about a set of GitHub repositories they discovered that have been actively serving malware.

Further investigation showed that the malware, dubbed Octopus Scanner, is designed to compromise NetBeans projects. The team found 26 open source projects that were backdoored by this malware and that were actively serving backdoored code, and the owners of affected projects were completely unaware of it.

The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.

Below is a high -evel description of the Octopus Scanner operation:

  • Identify user's NetBeans directory

  • Enumerate all projects in the NetBeans directory

  • Copy malicious payload cache.dat to nbproject/cache.dat

  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build

  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.

It appears the Octopus Scanner malware campaign has been going on for years. The researchers said the oldest sample of the malware was uploaded on the VirusTotal in August 2018.

“Even though the malware C2 servers didn't seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects,” the security team said.


Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020