Following the news that Octopus Malware, a new form of attack, has compromised 26 OSS projects on GitHub, please find commentary from an industry expert.
The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users.
We’ve seen over 20 one-off attempts at malicious code injection within OSS projects, but this is a new form of attack. This attack infects developer tools that subsequently infect all of the projects they are working on. It’s been open season on open source for a number of years, developers are on the front lines, and a new weapon has arrived on the battlefront.
I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (aka the manifest), but quality is not an attribute of the ingredient list. ‘Tainted lettuce’ won’t be listed as an ingredient, but that doesn’t mean you won’t end up with E. coli when using it.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics