Hi Sally, We propose putting the below on the Apache NetBeans blog re the GitHub malware report on the inactive malware campaign.
To everyone else — Sally is VP Marketing and Publicity at Apache. Thanks, and thanks Eric for your rewrite of the text. Gj On Sun, 31 May 2020 at 22:39, Erik Costlow <[email protected]> wrote: > If making any comment at all, I would rewrite. If there were a > vulnerability or the attack was large, I'm sure the GitHub team would have > gotten in touch. The key themes are: > > 1. The attack was small, isolated, and is over > 2. Most builds do not leverage anything netbeans-specific, such as this > ant build (I guessed at 2006) > 3. Software supply chain risk is legitimate and if action were needed > or is needed in the future, something would happen > > Researchers at GitHub have identified 26 projects on GitHub that have been > infected by malware. The initial point of infection is undetermined and all > activity with the malware has been shut down. The malware relied on > projects created using an older customized ant-based build system that has > been in limited use since 2006. This does not impact users of other build > systems like Maven or Gradle, or even most ant users. The majority of > NetBeans projects leverage native build tool integrations that is shared > with continuous integration systems. > With over 44 million repositories hosted on GitHub[2], the scope of these > 26 projects looks isolated and does not significantly impact the NetBeans > community. > Software Supply Chain attacks are not unique to any IDE and the NetBeans > contributor team will monitor the threat landscape to keep developers safe > and aware. > > [1] > https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain > [2] > https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ > > > "Researchers at GitHub have identified 26 projects on GitHub that have been > infected by malware. The malware infiltrates the project structure of > Ant-based applications in the format generated specifically by NetBeans. > The owners of the 26 projects, which are mostly small Java applications, > have been contacted and the infected projects have been set to private on > GitHub. The malware campaign is no longer active, GitHub did not consider > it relevant enough to be in touch with the NetBeans community about it, and > there is no evidence that applications beyond the 26 in question have been > impacted. Be aware that any project structure that you use when developing > applications can be infiltrated by malware and make sure that the files you > check into your versioning system are your own or that you know where they > come from and what they do." > > > ________________________________ > From: Neil C Smith <[email protected]> > Sent: Sunday, May 31, 2020 1:51 PM > To: dev <[email protected]> > Subject: Re: Proposed blog on malware report > > On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <[email protected]> wrote: > > > Be aware that any project structure that you use when developing > > applications can be infiltrated by malware and make sure that the files > you > > check into your versioning system are your own or that you know where > they > > come from and what they do." > > > > > > Feedback welcome and needed. > > > > Looks good to me, but I'd be tempted to emphasise "when developing > applications, with any IDE or build system, ..." And also that you should > treat building untrusted code the same way you'd treat running untrusted > binaries, ie. carefully. > > Interesting that the GitHub article doesn't mention that this applies to > projects that were originally structured with Ant in NetBeans. You wouldn't > have to still be building in the IDE to be exploited here? > > Best wishes, > > Neil > > > >
