https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign
There it is! Gj On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <s...@apache.org> wrote: > Thank you, Geertjan; hello, everyone. > > Great work --I first noticed what had happened from Emilian's, followed by > your, tweets yesterday. I see that quite a few articles are out on this > Octopus Scanner campaign. > > Rapid response is essential to avoid further confusion/miscommunication, > so great work on getting on this straight away. > > I have two minor requests: if you could 1) please refer to "Apache Ant" > and "Apache NetBeans" upon the first mention of the projects in the post, > that would be great. Also, 2) send this to annou...@apache.org so we can > help spread the word. > > I'll be standing by to help with any media queries that come through for > the PMC. > > Many kind thanks for your ongoing efforts. > > Best, > Sally > > - - - > Vice President Marketing & Publicity > Vice President Sponsor Relations > The Apache Software Foundation > > Tel +1 617 921 8656 | s...@apache.org > > > On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote: > > > > Hi Sally, > > > > We propose putting the below on the Apache NetBeans blog re the GitHub > malware report on the inactive malware campaign. > > > > To everyone else — Sally is VP Marketing and Publicity at Apache. > > > > Thanks, and thanks Eric for your rewrite of the text. > > > > Gj > > > > On Sun, 31 May 2020 at 22:39, Erik Costlow <erikcost...@outlook.com> > wrote: > >> If making any comment at all, I would rewrite. If there were a > vulnerability or the attack was large, I'm sure the GitHub team would have > gotten in touch. The key themes are: > >> > >> 1. The attack was small, isolated, and is over > >> 2. Most builds do not leverage anything netbeans-specific, such as > this ant build (I guessed at 2006) > >> 3. Software supply chain risk is legitimate and if action were needed > or is needed in the future, something would happen > >> > >> Researchers at GitHub have identified 26 projects on GitHub that have > been infected by malware. The initial point of infection is undetermined > and all activity with the malware has been shut down. The malware relied on > projects created using an older customized ant-based build system that has > been in limited use since 2006. This does not impact users of other build > systems like Maven or Gradle, or even most ant users. The majority of > NetBeans projects leverage native build tool integrations that is shared > with continuous integration systems. > >> With over 44 million repositories hosted on GitHub[2], the scope of > these 26 projects looks isolated and does not significantly impact the > NetBeans community. > >> Software Supply Chain attacks are not unique to any IDE and the > NetBeans contributor team will monitor the threat landscape to keep > developers safe and aware. > >> > >> [1] > https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain > >> [2] > https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ > >> > >> > >> "Researchers at GitHub have identified 26 projects on GitHub that have > been > >> infected by malware. The malware infiltrates the project structure of > >> Ant-based applications in the format generated specifically by NetBeans. > >> The owners of the 26 projects, which are mostly small Java applications, > >> have been contacted and the infected projects have been set to private > on > >> GitHub. The malware campaign is no longer active, GitHub did not > consider > >> it relevant enough to be in touch with the NetBeans community about it, > and > >> there is no evidence that applications beyond the 26 in question have > been > >> impacted. Be aware that any project structure that you use when > developing > >> applications can be infiltrated by malware and make sure that the files > you > >> check into your versioning system are your own or that you know where > they > >> come from and what they do." > >> > >> > >> ________________________________ > >> From: Neil C Smith <neilcsm...@apache.org> > >> Sent: Sunday, May 31, 2020 1:51 PM > >> To: dev <dev@netbeans.apache.org> > >> Subject: Re: Proposed blog on malware report > >> > >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <geert...@apache.org> > wrote: > >> > >> > Be aware that any project structure that you use when developing > >> > applications can be infiltrated by malware and make sure that the > files you > >> > check into your versioning system are your own or that you know where > they > >> > come from and what they do." > >> > > >> > > >> > Feedback welcome and needed. > >> > > >> > >> Looks good to me, but I'd be tempted to emphasise "when developing > >> applications, with any IDE or build system, ..." And also that you > should > >> treat building untrusted code the same way you'd treat running untrusted > >> binaries, ie. carefully. > >> > >> Interesting that the GitHub article doesn't mention that this applies to > >> projects that were originally structured with Ant in NetBeans. You > wouldn't > >> have to still be building in the IDE to be exploited here? > >> > >> Best wishes, > >> > >> Neil > >> > >> >
