If making any comment at all, I would rewrite. If there were a vulnerability or the attack was large, I'm sure the GitHub team would have gotten in touch. The key themes are:
1. The attack was small, isolated, and is over 2. Most builds do not leverage anything netbeans-specific, such as this ant build (I guessed at 2006) 3. Software supply chain risk is legitimate and if action were needed or is needed in the future, something would happen Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware. The initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on projects created using an older customized ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Maven or Gradle, or even most ant users. The majority of NetBeans projects leverage native build tool integrations that is shared with continuous integration systems. With over 44 million repositories hosted on GitHub[2], the scope of these 26 projects looks isolated and does not significantly impact the NetBeans community. Software Supply Chain attacks are not unique to any IDE and the NetBeans contributor team will monitor the threat landscape to keep developers safe and aware. [1] https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain [2] https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ "Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware. The malware infiltrates the project structure of Ant-based applications in the format generated specifically by NetBeans. The owners of the 26 projects, which are mostly small Java applications, have been contacted and the infected projects have been set to private on GitHub. The malware campaign is no longer active, GitHub did not consider it relevant enough to be in touch with the NetBeans community about it, and there is no evidence that applications beyond the 26 in question have been impacted. Be aware that any project structure that you use when developing applications can be infiltrated by malware and make sure that the files you check into your versioning system are your own or that you know where they come from and what they do." ________________________________ From: Neil C Smith <neilcsm...@apache.org> Sent: Sunday, May 31, 2020 1:51 PM To: dev <dev@netbeans.apache.org> Subject: Re: Proposed blog on malware report On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <geert...@apache.org> wrote: > Be aware that any project structure that you use when developing > applications can be infiltrated by malware and make sure that the files you > check into your versioning system are your own or that you know where they > come from and what they do." > > > Feedback welcome and needed. > Looks good to me, but I'd be tempted to emphasise "when developing applications, with any IDE or build system, ..." And also that you should treat building untrusted code the same way you'd treat running untrusted binaries, ie. carefully. Interesting that the GitHub article doesn't mention that this applies to projects that were originally structured with Ant in NetBeans. You wouldn't have to still be building in the IDE to be exploited here? Best wishes, Neil >
