GitHub has revealed that it recently discovered a powerful malware dubbed Octopus Scanner that not only infected devices owned by developers but also infected GitHub repositories and spread to new ones.
On 28th May, GitHub’s Security Incident Response Team (SIRT) reported that it was recently alerted by a security researcher about a malware that was spreading itself via infected GitHub repositories. Upon investigating the alert, the SIRT team discovered Octopus Scanner, a malware "designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself."
JJ, the security researcher who alerted GitHub about the malware infection, told the company that as many as 26 GitHub repositories were infected by Octopus Scanner. Any developer who downloaded a project from an infected repository, activated the malware in their own systems. The malware would scan for a NetBeans IDE in developers' devices and if it is installed, the malware would infect every resulting JAR file with a dropper.
Once the dropper payload executes, it spawns a Remote Administration Tool (RAT) which connects to a set of C2 servers, gains control over the device, and prevents new project builds from replacing the infected build in order to preserve its malicious build artifacts.
"While we have seen many cases where the software supply chain was compromised by hijacking developer credentials or typosquatting popular package names, a malware that abuses the build process and its resulting artifacts to spread is both interesting and concerning for multiple reasons," GitHub said.
"In an OSS context, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems. The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact.
"Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments, database passwords, and other critical assets. There is a huge potential for escalation of access, which is a core attacker objective in most cases," it added.
The Security Incident Response Team also warned that just like the malware was designed to attack the NetBeans build process, similar malware can also be developed by hackers to target other frequently-used build processes such as Make, MsBuild, Gradle and others.
To prevent this from happenning, GitHub is planning to further improve the integrity and security of the OSS supply chain by introducing Dependency Graph, security alerts for vulnerable dependencies, automated security updates as well as code scanning and secret scanning that help detect potential issues in code.
“The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users,” says Brian Fox, CTO at open source software security specialist Sonatype.
“We’ve seen over 20 one-off attempts at malicious code injection within OSS projects, but this is a new form of attack. This attack infects developer tools that subsequently infect all of the projects they are working on. It’s been open season on open source for a number of years, developers are on the front lines, and a new weapon has arrived on the battlefront.
“I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (aka the manifest), but quality is not an attribute of the ingredient list. ‘Tainted lettuce’ won’t be listed as an ingredient, but that doesn’t mean you won’t end up with E. coli when using it,” he adds.