Thank you, Geertjan; hello, everyone. Great work --I first noticed what had happened from Emilian's, followed by your, tweets yesterday. I see that quite a few articles are out on this Octopus Scanner campaign.
Rapid response is essential to avoid further confusion/miscommunication, so great work on getting on this straight away. I have two minor requests: if you could 1) please refer to "Apache Ant" and "Apache NetBeans" upon the first mention of the projects in the post, that would be great. Also, 2) send this to [email protected] so we can help spread the word. I'll be standing by to help with any media queries that come through for the PMC. Many kind thanks for your ongoing efforts. Best, Sally - - - Vice President Marketing & Publicity Vice President Sponsor Relations The Apache Software Foundation Tel +1 617 921 8656 | [email protected] On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote: > > Hi Sally, > > We propose putting the below on the Apache NetBeans blog re the GitHub > malware report on the inactive malware campaign. > > To everyone else — Sally is VP Marketing and Publicity at Apache. > > Thanks, and thanks Eric for your rewrite of the text. > > Gj > > On Sun, 31 May 2020 at 22:39, Erik Costlow <[email protected]> wrote: >> If making any comment at all, I would rewrite. If there were a vulnerability >> or the attack was large, I'm sure the GitHub team would have gotten in >> touch. The key themes are: >> >> 1. The attack was small, isolated, and is over >> 2. Most builds do not leverage anything netbeans-specific, such as this ant >> build (I guessed at 2006) >> 3. Software supply chain risk is legitimate and if action were needed or is >> needed in the future, something would happen >> >> Researchers at GitHub have identified 26 projects on GitHub that have been >> infected by malware. The initial point of infection is undetermined and all >> activity with the malware has been shut down. The malware relied on projects >> created using an older customized ant-based build system that has been in >> limited use since 2006. This does not impact users of other build systems >> like Maven or Gradle, or even most ant users. The majority of NetBeans >> projects leverage native build tool integrations that is shared with >> continuous integration systems. >> With over 44 million repositories hosted on GitHub[2], the scope of these 26 >> projects looks isolated and does not significantly impact the NetBeans >> community. >> Software Supply Chain attacks are not unique to any IDE and the NetBeans >> contributor team will monitor the threat landscape to keep developers safe >> and aware. >> >> [1] >> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain >> [2] >> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ >> >> >> "Researchers at GitHub have identified 26 projects on GitHub that have been >> infected by malware. The malware infiltrates the project structure of >> Ant-based applications in the format generated specifically by NetBeans. >> The owners of the 26 projects, which are mostly small Java applications, >> have been contacted and the infected projects have been set to private on >> GitHub. The malware campaign is no longer active, GitHub did not consider >> it relevant enough to be in touch with the NetBeans community about it, and >> there is no evidence that applications beyond the 26 in question have been >> impacted. Be aware that any project structure that you use when developing >> applications can be infiltrated by malware and make sure that the files you >> check into your versioning system are your own or that you know where they >> come from and what they do." >> >> >> ________________________________ >> From: Neil C Smith <[email protected]> >> Sent: Sunday, May 31, 2020 1:51 PM >> To: dev <[email protected]> >> Subject: Re: Proposed blog on malware report >> >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <[email protected]> wrote: >> >> > Be aware that any project structure that you use when developing >> > applications can be infiltrated by malware and make sure that the files you >> > check into your versioning system are your own or that you know where they >> > come from and what they do." >> > >> > >> > Feedback welcome and needed. >> > >> >> Looks good to me, but I'd be tempted to emphasise "when developing >> applications, with any IDE or build system, ..." And also that you should >> treat building untrusted code the same way you'd treat running untrusted >> binaries, ie. carefully. >> >> Interesting that the GitHub article doesn't mention that this applies to >> projects that were originally structured with Ant in NetBeans. You wouldn't >> have to still be building in the IDE to be exploited here? >> >> Best wishes, >> >> Neil >> >> >
