octopus-scanner
Octopus Scanner backdoored 26 NetBeans projects on GitHub
GitHub Security Lab disclosed on 2020-05-28 that 26 open-source NetBeans projects hosted on GitHub had been backdoored by a self-spreading Java malware dubbed Octopus Scanner. When a developer opened an infected NetBeans project, the malware identified other NetBeans projects on the host and dropped a malicious payload (`cache.dat`) into their build configurations so that subsequent JAR builds — including those committed back to GitHub — also shipped a remote-access trojan. The implant established C2 over an HTTPS reverse shell. Affected repositories had been hosting the implant for months; samples persisted in commit history.
- Date
- 2018-08-01 to 2020-05-28
- Category
- Open Source
- Target Surface
- Revision control
- Insertion Phase
- source
- Impact
- Backdoor
- Cause
- Compromised dependency
What Was Affected
Package
octopus-scanner
LanguageJava
ComponentApplication
Artifact typesource archive
Domain typecode host
Domain
github.com
Repository
github.com/advisories
Incident Context
- Motive
- Remote access
- Attribution
- Unknown attacker
- Transitive
- Yes
- User Impact
- 26
- Observed Duration
- 666 days
Indicators and Changes
Hashes
sha256:12c05ce238ee44fa8ff7be4f0c1090b4d72d7836c267b977b82ebd57a13db4aesha256:d5f3a93e8e2305d18fb358aaa31ec18b0c3e3733b770f6e08b9580f86749d44b
External References
Source Data
Source record: oss/octopus-scanner/meta.yaml