Octopus Malware: New Attack Compromises 26 OSS Projects On GitHub – Industry Comment

Following the news that Octopus Malware, a new form of attack, has compromised 26 OSS projects on GitHub, please find commentary from an industry expert.

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Brian Fox
Brian Fox , CTO
InfoSec Expert
June 1, 2020 1:30 pm

The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users.

We’ve seen over 20 one-off attempts at malicious code injection within OSS projects, but this is a new form of attack. This attack infects developer tools that subsequently infect all of the projects they are working on. It’s been open season on open source for a number of years, developers are on the front lines, and a new weapon has arrived on the battlefront.

I’ve always described this in terms of a tainted food project. If you inspect a salad recipe, you’ll find all of the common ingredient names (aka the manifest), but quality is not an attribute of the ingredient list. ‘Tainted lettuce’ won’t be listed as an ingredient, but that doesn’t mean you won’t end up with E. coli when using it.

Last edited 2 years ago by Brian Fox
1
0
Would love your thoughts, please comment.x
()
x