Octopus Scanner infected NetBeans builds
Octopus Scanner backdoored 26 NetBeans projects on GitHub. The malware infected build artifacts and propagated when developers built already-compromised projects.
Story
Octopus Scanner reached GitHub as a strange abuse report: repositories were serving malware, but the maintainers did not appear to be the attackers. GitHub Security Lab traced the problem to 26 open-source NetBeans projects whose checked-in sources and artifacts had already been infected.
The malware looked for NetBeans project metadata on a developer machine, copied a payload named cache.dat into nbproject/cache.dat, and modified nbproject/build-impl.xml. That edit hooked the normal NetBeans build flow so the payload ran whenever the project was built.
The build step was the distribution mechanism. A developer who cloned and built an infected project could produce infected JARs; GitHub also found variants that backdoored existing JAR dependencies checked into the project. Deleting one obvious file was not enough if the repository still carried tainted artifacts.
The payload chain then moved from project infection to host persistence. The first-stage dropper unpacked octopus.dat, installed autostart or scheduled-task persistence depending on platform, and spawned a remote administration tool that attempted to reach command-and-control infrastructure. GitHub reported that the C2 servers did not appear active during analysis, but the repositories still exposed anyone who cloned and built them.
GitHub removed or cleaned affected projects and published hashes for defenders. This record treats the 26 projects as artifact scope, not as a human victim count. The important lesson is the trust boundary: source review may miss a build-system backdoor if the project file that orchestrates compilation is already part of the attack.
Affected Artifacts
- Observed
- 2018-08-01 to 2020-05-28
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:12c05ce238ee44fa8ff7be4f0c1090b4d72d7836c267b977b82ebd57a13db4ae
- sha256:d5f3a93e8e2305d18fb358aaa31ec18b0c3e3733b770f6e08b9580f86749d44b
- Evidence
- mirror: github.com/advisories, malware: Octopus Scanner, ecosystem: NetBeans, file: nbproject/cache.dat , +4 more
- GitHub reported 26 affected open-source projects; that is artifact scope rather than confirmed affected-user count.
- GitHub's analysis found four infected NetBeans-project variants. Some infected build outputs and dependencies, while one variant performed local system infection without touching build artifacts.
Incident Context
- Motive
- Remote Access
- Cause
- Compromised Dependency
- Transitive
- Yes
External References
- The Octopus Scanner Malware - Attacking the open source supply chaingithub.blog
- Beyond SolarWinds - The Octopus Scanner supply chain attackcycode.com
- Researchers Uncover Malware Attacking Supply Chain With 26 Open Source Projects in Its Clutchesdarkreading.com
- Octopus Scanner compromises 26 OSS projects on GitHubsonatype.com
- GitHub finds 26 projects compromised by Octopus Scanner malwarecyberscoop.com
- Supply chain attack hits 26 open source projects on GitHubtechtarget.com
- The Octopus Scanner Malware - Attacking the Open Source Supply Chaincloudsecurityalliance.org
Source record: oss/attacks/octopus-scanner/meta.yaml