Also sent it to annou...@apache.org. I'll wait a few hours for any comments anyone has on the text, which is a bit of a mosaic of the comments throughout this thread -- mostly by Eric Costlow, many thanks! -- and will then tweet this, etc.
Gj On Mon, Jun 1, 2020 at 1:27 PM Geertjan Wielenga <geert...@apache.org> wrote: > > https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign > > There it is! > > Gj > > On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <s...@apache.org> wrote: > >> Thank you, Geertjan; hello, everyone. >> >> Great work --I first noticed what had happened from Emilian's, followed >> by your, tweets yesterday. I see that quite a few articles are out on this >> Octopus Scanner campaign. >> >> Rapid response is essential to avoid further confusion/miscommunication, >> so great work on getting on this straight away. >> >> I have two minor requests: if you could 1) please refer to "Apache Ant" >> and "Apache NetBeans" upon the first mention of the projects in the post, >> that would be great. Also, 2) send this to annou...@apache.org so we can >> help spread the word. >> >> I'll be standing by to help with any media queries that come through for >> the PMC. >> >> Many kind thanks for your ongoing efforts. >> >> Best, >> Sally >> >> - - - >> Vice President Marketing & Publicity >> Vice President Sponsor Relations >> The Apache Software Foundation >> >> Tel +1 617 921 8656 | s...@apache.org >> >> >> On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote: >> > >> > Hi Sally, >> > >> > We propose putting the below on the Apache NetBeans blog re the GitHub >> malware report on the inactive malware campaign. >> > >> > To everyone else — Sally is VP Marketing and Publicity at Apache. >> > >> > Thanks, and thanks Eric for your rewrite of the text. >> > >> > Gj >> > >> > On Sun, 31 May 2020 at 22:39, Erik Costlow <erikcost...@outlook.com> >> wrote: >> >> If making any comment at all, I would rewrite. If there were a >> vulnerability or the attack was large, I'm sure the GitHub team would have >> gotten in touch. The key themes are: >> >> >> >> 1. The attack was small, isolated, and is over >> >> 2. Most builds do not leverage anything netbeans-specific, such as >> this ant build (I guessed at 2006) >> >> 3. Software supply chain risk is legitimate and if action were needed >> or is needed in the future, something would happen >> >> >> >> Researchers at GitHub have identified 26 projects on GitHub that have >> been infected by malware. The initial point of infection is undetermined >> and all activity with the malware has been shut down. The malware relied on >> projects created using an older customized ant-based build system that has >> been in limited use since 2006. This does not impact users of other build >> systems like Maven or Gradle, or even most ant users. The majority of >> NetBeans projects leverage native build tool integrations that is shared >> with continuous integration systems. >> >> With over 44 million repositories hosted on GitHub[2], the scope of >> these 26 projects looks isolated and does not significantly impact the >> NetBeans community. >> >> Software Supply Chain attacks are not unique to any IDE and the >> NetBeans contributor team will monitor the threat landscape to keep >> developers safe and aware. >> >> >> >> [1] >> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain >> >> [2] >> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/ >> >> >> >> >> >> "Researchers at GitHub have identified 26 projects on GitHub that have >> been >> >> infected by malware. The malware infiltrates the project structure of >> >> Ant-based applications in the format generated specifically by >> NetBeans. >> >> The owners of the 26 projects, which are mostly small Java >> applications, >> >> have been contacted and the infected projects have been set to private >> on >> >> GitHub. The malware campaign is no longer active, GitHub did not >> consider >> >> it relevant enough to be in touch with the NetBeans community about >> it, and >> >> there is no evidence that applications beyond the 26 in question have >> been >> >> impacted. Be aware that any project structure that you use when >> developing >> >> applications can be infiltrated by malware and make sure that the >> files you >> >> check into your versioning system are your own or that you know where >> they >> >> come from and what they do." >> >> >> >> >> >> ________________________________ >> >> From: Neil C Smith <neilcsm...@apache.org> >> >> Sent: Sunday, May 31, 2020 1:51 PM >> >> To: dev <dev@netbeans.apache.org> >> >> Subject: Re: Proposed blog on malware report >> >> >> >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <geert...@apache.org> >> wrote: >> >> >> >> > Be aware that any project structure that you use when developing >> >> > applications can be infiltrated by malware and make sure that the >> files you >> >> > check into your versioning system are your own or that you know >> where they >> >> > come from and what they do." >> >> > >> >> > >> >> > Feedback welcome and needed. >> >> > >> >> >> >> Looks good to me, but I'd be tempted to emphasise "when developing >> >> applications, with any IDE or build system, ..." And also that you >> should >> >> treat building untrusted code the same way you'd treat running >> untrusted >> >> binaries, ie. carefully. >> >> >> >> Interesting that the GitHub article doesn't mention that this applies >> to >> >> projects that were originally structured with Ant in NetBeans. You >> wouldn't >> >> have to still be building in the IDE to be exploited here? >> >> >> >> Best wishes, >> >> >> >> Neil >> >> >> >> > > >
