Twenty-six open-source projects hosted on GitHub repositories were found to be infected with malware and capable of serving up weaponized code to potential developers in a potential supply chain attack, the GitHub Security Lab has disclosed.
An investigation into the incident turned up what GitHub described as a first: "malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself." NetBeans is an integrated development environment (IDE) for the Java programming language.
A more typical software supply chain attack might involve stealing a developer's credentials or typosquatting popular package names, but this latest attack is notable because, from an open-source perspective, "it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked and used on potentially many different systems," explains GitHub staff security researcher Alvaro Muñoz in a company blog post. "The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact."
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.