Octopus Malware: New Attack Compromises 26 OSS Projects On GitHub – Industry Comment

Following the news that Octopus Malware, a new form of attack, has compromised 26 OSS projects on GitHub, please find commentary from an industry expert.

Experts Comments

June 01, 2020
Brian Fox
CTO
Sonatype
The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users. We’ve seen over 20 one-off attempts at malicious code injection within OSS projects, but this is a new form of attack. This attack infects.....Read More
The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users. We’ve seen over 20 one-off attempts at malicious code injection within OSS projects, but this is a new form of attack. This attack infects developer tools that subsequently infect all of the projects they are working on. It’s been open season on open source for a number of years, developers are on the front lines, and a new weapon has arrived on the battlefront. I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (aka the manifest), but quality is not an attribute of the ingredient list. ‘Tainted lettuce’ won’t be listed as an ingredient, but that doesn’t mean you won’t end up with E. coli when using it.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.