New Octopus Scanner Malware Poisoning NetBeans Projects on Github

The security of the open-source supply chain is about the integrity of the entire software development and delivery ecosystem. A self-spreading and OSS supply chain malware was found abusing Github repositories.

What is happening

On March 9, 2020, GitHub’s Security Incident Response Team (SIRT) received its initial notification about a set of repositories that were actively serving malware-infected open source projects. Since then, Github has found 26 repositories on its platform that contained traces of the Octopus Scanner.
  • In May 2020, GitHub issued a warning about this new malware strain that's been spreading on its site via boobytrapped Java projects. The Octopus Scanner has been found in projects managed using the Apache NetBeans integrated development environment (IDE).
  • The malware itemizes and backdoors NetBeans repositories after planting malicious malware within JAR binaries, project files, and dependencies, later spreading to downstream development systems. It has primarily-infected developers to gain access to additional projects, production environments, database passwords, and other critical assets.
  • The malware can run on Windows, Linux, and macOS systems and deploy a Remote Administration Tool (RAT) via the GitHub supply chain attack. Octopus Scanner is also designed to block new builds from replacing the compromised ones by keeping its malicious build artifacts in place.

This is not the first case

Octopus malware is part of the Phobos ransomware family. Octopus can upload and download files, take screenshots, and dig into other personal data on infected machines. From its origin, it has mainly focused on political and diplomatic officials in Central Asia.
  • In November 2018, Octopus Scanner, disguised as a version of a popular and legitimate online messenger (Telegram), targeted Central Asian diplomatic organizations in a wave of cyber-espionage. It subsequently provided hackers with remote access to a victim’s computer.
  • In April 2018, the DustSquad group used the potential Telegram ban in Kazakhstan to push as an alternative communication software for the political opposition with a Russian interface. The Octopus Scanner, which was used in the attacks, leveraged third-party Delphi libraries for compression.

Stay safe

Organizations should sign agreements with all vendors and contractors to strictly follow data security policies. Also, users should keep all software and systems up-to-date. Employing adequate protection measures for safety can detect any malicious activity and potential issues earlier. Scan the computer using trusted end-point solutions.