Octopus Scanner Compromises 26 OSS Projects on GitHub

Updated from original May 29th post.

Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you’ve used, but not the quality of the ingredients themselves. In the realm of software component analysis (SCA), the difference between evaluating a list of ingredients by name (the manifest) and a full evaluation of the binaries themselves (advanced binary fingerprinting) can provide very different results. And when it comes to DevSecOps practices, those results can mean the difference between shipping high quality code and being breached tomorrow.

AppSec/API Security 2022

Reports are just surfacing about a new form of software supply chain attack that targets open source software projects on GitHub.  So far, 26 open source projects have been impacted by the attacks, leaving developers relying on those projects susceptible to the malware that has been injected into the code.

According to GitHub’s security lab,

“On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself.”  

The malware is being referred to as the Octopus Scanner.

For several years, our annual State of the Software Supply Chain Report has detailed several forms of OSS supply chain attacks including malicious code injection, stealing project credentials, and typosquatting, but Octopus takes on a new approach. Rather than target the OSS project code itself, this attack targets the tools developers are using the build their code.

Those leading DevSecOps practices speak of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Brian Fox. Read the original post at: