A new form of malware is revealed to have been targeting GitHub repositories in recent weeks, wreaking havoc across more than two dozen open source projects on the world’s largest coding collaboration forum.
Having spent much of the last ten weeks rooting out what it describes as a form of “virulent digital life”, cybersecurity experts at the popular version control platform announced earlier this month that a number of open source projects being hosted on GitHub repositories had fallen victim to a so-called ‘Octopus Scanner’, an OSS supply chain malware that targets Apache NetBeans—a relatively obscure integrated development environment (IDE) used to write Java software.
As a result, open source projects were left particularly vulnerable to the malware across a multitude of GitHub repositories.
GitHub, an online service based on the code versioning system Git, was launched in 2008 by Linux creator Linus Torvalds. In effect, it allows developers take snapshots of files in their software development projects, enabling them to revert their changes later or create different branches of a project for different people to work on.
GitHub also lets developers ‘push’ copies of repositories to its online service, allowing other developers to download them and collaborate.
Octopus Scanner spreads through GitHub repositories
After a tipoff on March 9 prompted GitHub Security Labs to analyze the Octopus Scanner, the Microsoft-owned platform released a detailed statement late last month, explaining how the malware lurks in GitHub repositories of open source projects uploaded to its site. It then activates when the infected GitHub repositories are downloaded, piggybacking to create a software program.
“After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself,” wrote Alvaro Muñoz, a , security researcher at Github, adding that a total of 26 open source projects had been detected to have been serving the malware.
“As we all know, life always finds a way—even virulent digital life,” added Muñoz.
“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” Muñoz noted further. “If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed.”
According to GitHub’s Security Incident Response Team SIRT, the Octopus Scanner carries out its malware attacks using what appears to be a sophisticated self-replication technique. When it detects the NetBeans IDE, it moves forward with its attack, installing an initial-stage dropper which it uses to fetch and execute a remote access trojan (RAT).
Once the GitHub repositories are successfully breached, the cybercriminals behind the malware are then enabled to gain full control over their targeted open source projects. To add insult to injury, the malware then blocks any option to overwrite or develop the code further, leaving the Octopus Scanner fully in control by ensuring that the infected code isn’t superseded with any updates or alterations.
“Since the primary-infected users are developers, the access that is gained is of high interest to attackers since developers generally have access to additional projects, production environments database passwords and other critical assets,” Muñoz wrote. “There is a huge potential for escalation of access, which is a core attacker objective in most cases.”
In effect, therefore, by taking control of the open-source supply chains in this way, the Octopus Scanner is able spread its malicious activity far and wide in a tentacle-like manner.
Supply chains attacks place open source projects at increasing risk
The fact that such a large number of GitHub repositories fell victim to the Octopus Scanner is noteworthy—not necessarily because such attacks are unusual, but rather because of the trend it may introduce.
This is the warning offered by Ronen Slavin, the co-founder and CTO at Israeli security company Cycode, who points out that more attention should be paid among cybersecurity experts toward protecting open source projects. “While software supply chain attacks aren’t breaking news, the escalation in the intensity and frequency of attacks in recent months is frightening, especially when we remain in the dark over their original targets and whether they are connected,” explained Slavin.
“This once again demonstrates that source code is the next frontier for cybersecurity,” he added.
Muñoz concluded his findings on a similar note. Speaking to the fact that open source projects being hosted in Github repositories have indeed been placed at considerable risk, Muñoz conceded that the trend indeed appears to be a gloomy one: “While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”