The malware, which GitHub’s security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications.
GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9.
GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers.
It would scan the victim’s workstation for a local NetBeans IDE installation, and proceed to burrow into the developer’s other Java projects.
End goal: Install a remote access trojan (RAT)
The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim’s computer, looking for sensitive information.
GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.
While GitHub says it found only 26 projects uploaded on its platform that contained traces of the Octopus Scanner malware, it believes that many more projects have been infected during the past two years.
However, the true purpose of the attack was to place a RAT on the machines of developers working on sensitive projects or inside major software companies, and not necessarily to poison open-source Java projects.
The RAT would have given the attacker(s) access to steal confidential information about upcoming tools, proprietary source code, or alter code to enable backdoors in enterprise or other closed-source software.
“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,” GitHub added.
“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”
GitHub did not publish the name of the 26 poisoned projects, but has published details about Octopus Scanner’s infection process, so NetBeans users and Java developers can look for signs if their projects have been altered.