Thank you, Geertjan; hello, everyone. Great work --I first noticed what had happened from Emilian's, followed by your, tweets yesterday. I see that quite a few articles are out on this Octopus Scanner campaign.
Rapid response is essential to avoid further confusion/miscommunication, so great work on getting on this straight away. I have two minor requests: if you could 1) please refer to "Apache Ant" and "Apache NetBeans" upon the first mention of the projects in the post, that would be great. Also, 2) send this to annou...@apache.org so we can help spread the word. I'll be standing by to help with any media queries that come through for the PMC. Many kind thanks for your ongoing efforts. Best, Sally - - - Vice President Marketing & Publicity Vice President Sponsor Relations The Apache Software Foundation Tel +1 617 921 8656 | s...@apache.org On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote: > > Hi Sally, > > We propose putting the below on the Apache NetBeans blog re the GitHub > malware report on the inactive malware campaign. > > To everyone else — Sally is VP Marketing and Publicity at Apache. > > Thanks, and thanks Eric for your rewrite of the text. > > Gj > > On Sun, 31 May 2020 at 22:39, Erik Costlow <erikcost...@outlook.com> wrote: >> If making any comment at all, I would rewrite. If there were a vulnerability >> or the attack was large, I'm sure the GitHub team would have gotten in >> touch. The key themes are: >> >> 1. The attack was small, isolated, and is over >> 2. Most builds do not leverage anything netbeans-specific, such as this ant >> build (I guessed at 2006) >> 3. Software supply chain risk is legitimate and if action were needed or is >> needed in the future, something would happen >> >> Researchers at GitHub have identified 26 projects on GitHub that have been >> infected by malware. The initial point of infection is undetermined and all >> activity with the malware has been shut down. The malware relied on projects >> created using an older customized ant-based build system that has been in >> limited use since 2006. This does not impact users of other build systems >> like Maven or Gradle, or even most ant users. The majority of NetBeans >> projects leverage native build tool integrations that is shared with >> continuous integration systems. >> With over 44 million repositories hosted on GitHub[2], the scope of these 26 >> projects looks isolated and does not significantly impact the NetBeans >> community. >> Software Supply Chain attacks are not unique to any IDE and the NetBeans >> contributor team will monitor the threat landscape to keep developers safe >> and aware. >> >> [1] >> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain >> [2] >> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ >> >> >> "Researchers at GitHub have identified 26 projects on GitHub that have been >> infected by malware. The malware infiltrates the project structure of >> Ant-based applications in the format generated specifically by NetBeans. >> The owners of the 26 projects, which are mostly small Java applications, >> have been contacted and the infected projects have been set to private on >> GitHub. The malware campaign is no longer active, GitHub did not consider >> it relevant enough to be in touch with the NetBeans community about it, and >> there is no evidence that applications beyond the 26 in question have been >> impacted. Be aware that any project structure that you use when developing >> applications can be infiltrated by malware and make sure that the files you >> check into your versioning system are your own or that you know where they >> come from and what they do." >> >> >> ________________________________ >> From: Neil C Smith <neilcsm...@apache.org> >> Sent: Sunday, May 31, 2020 1:51 PM >> To: dev <dev@netbeans.apache.org> >> Subject: Re: Proposed blog on malware report >> >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <geert...@apache.org> wrote: >> >> > Be aware that any project structure that you use when developing >> > applications can be infiltrated by malware and make sure that the files you >> > check into your versioning system are your own or that you know where they >> > come from and what they do." >> > >> > >> > Feedback welcome and needed. >> > >> >> Looks good to me, but I'd be tempted to emphasise "when developing >> applications, with any IDE or build system, ..." And also that you should >> treat building untrusted code the same way you'd treat running untrusted >> binaries, ie. carefully. >> >> Interesting that the GitHub article doesn't mention that this applies to >> projects that were originally structured with Ant in NetBeans. You wouldn't >> have to still be building in the IDE to be exploited here? >> >> Best wishes, >> >> Neil >> >> >
