Threat Management, Malware

Malware in GitHub-hosted projects designed to spread among open-source developers

Twenty-six open-source projects hosted on GitHub repositories were found to be infected with malware and capable of serving up weaponized code to potential developers in a potential supply chain attack, the GitHub Security Lab has disclosed.

An investigation into the incident turned up what GitHub described as a first: "malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself." NetBeans is an integrated development environment (IDE) for the Java programming language.

A more typical software supply chain attack might involve stealing a developer's credentials or typosquatting popular package names, but this latest attack is notable because, from an open-source perspective, "it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked and used on potentially many different systems," explains GitHub staff security researcher Alvaro Muñoz in a company blog post. "The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact."

"When organizations enlist a third-party code module, it means they are trusting the third party to not be malicious and to prioritize security. Unfortunately, regardless of the trust instilled, we still encounter malicious activities in open source," said Erez Yalon, head of security research at Checkmarx. "We continue to see various malicious activities that target developers who use packages, often involving backdoors that are hidden as dependencies in legitimate projects (such as getcookies), typosquatting, as well as targeting the maintainer of the package (such as eslint-scope).

"Using a self-replicating worm to take advantage of open source is nothing new, but it is the first time we’re seeing a worm abuse the NetBeans Build mechanism," Yalon continued. "As attackers continue to get more creative in their schemes, developers -- and ultimately, everyone involved in the decision to use third party code modules -- must re-evaluate software security and remain more vigilant than ever before.”

GitHub says that it first learned of the affected repositories on March 9 from the security researcher "JJ." The keepers of the affected repositories were likely not aware that the open-source NetBeans projects within were potentially dispensing malware to additional users who may have cloned and further built upon these projects, Muñoz notes. This presented a challenge for GitHub, as it looked for ways to expediently remove the malware -- dubbed Octopus Scanner -- without entirely shutting down the impacted user accounts.

When the malware identifies a NetBeans directory within a particular repository, it embeds a payload in the project files located within. But the malware also infects JAR files -- including dependencies -- with a dropper that maintains persistence and communicates with C2 servers via a remote administration tool, Muñoz states in the blog post. Additionally, the malware attempts to stop any new project builds from overwriting the malicious build.

From there, additional GitHub users can become infected if they build from an infected repository or if they use any of the weaponized artifacts that stem from a compromised build. This means that attacks could over time gain access to a multiple of open-source developers' projects, production environments and more, GitHub notes.

"There is a huge potential for escalation of access, which is a core attacker objective in most cases," writes Muñoz.

"This is a good example of how malicious packages tend to make headlines even when their impact was relatively small," said Rhys Arkins, director of product management at open-source security and license compliance management platform WhiteSource. "Such cases are intimidating because most developers know it could have happened to them, and it could have been much worse." However, Arkins noted that developers must not allow such malware incidents to distract them from more ubiquitous, known threats such as open-source vulnerabilities that require "much less effort for an attacker to exploit."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.