| // |
| // Licensed to the Apache Software Foundation (ASF) under one |
| // or more contributor license agreements. See the NOTICE file |
| // distributed with this work for additional information |
| // regarding copyright ownership. The ASF licenses this file |
| // to you under the Apache License, Version 2.0 (the |
| // "License"); you may not use this file except in compliance |
| // with the License. You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, |
| // software distributed under the License is distributed on an |
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| // KIND, either express or implied. See the License for the |
| // specific language governing permissions and limitations |
| // under the License. |
| // |
| |
| = Newly Identified Inactive Malware Campaign: Impact on Apache NetBeans |
| :author: Geertjan Wielenga |
| :revdate: 2020-06-01 |
| :jbake-type: post |
| :jbake-tags: blogentry |
| :jbake-status: published |
| :keywords: Apache NetBeans blog index |
| :description: Apache NetBeans blog index |
| :toc: left |
| :toc-title: |
| :syntax: true |
| |
| Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware<<secu>>. |
| The initial point of infection is undetermined and all activity with the malware has been shut down. |
| The malware relied on project templates generated by Apache NetBeans using an older customized Apache Ant-based build system |
| that has been in limited use since 2006. This does not impact users of other build systems like Apache Maven or Gradle or even most Apache Ant users. |
| The majority of Apache NetBeans projects leverage native build tool integrations that are shared with continuous integration systems. |
| With over 44 million repositories hosted on GitHub<<zdnet>>, the scope of these 26 projects looks isolated, these projects have been set to private, |
| and their owners contacted, while GitHub has not had reason to contact the NetBeans community about this, |
| indicating that this has no significant impact on the NetBeans community. |
| |
| Note: Software Supply Chain attacks are not unique to any IDE and the NetBeans community will continue to monitor the |
| threat landscape to keep developers safe and aware. Be aware<<apidesign>> that any build system that you use when developing applications, |
| with any IDE or build system, can be infiltrated by malware. Always make sure that the files you check into your versioning system |
| are your own or that you know where they come from and what they do. |
| |
| [bibliography] |
| == Related references: |
| |
| * [[[secu,1]]] link:https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain[https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain] |
| * [[[zdnet,2]]]link:https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/[https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/] |
| * [[[apidesign,3]]] link:http://wiki.apidesign.org/wiki/Malware[http://wiki.apidesign.org/wiki/Malware] |
| |
| |
