Hi,
I like the wording. In fact, it is more a Github project maintainer issue
that didn't filtered a new file on his repo.
The fact this repo was based on an IDE and that the threatening file
exploit this infirmation could lead to more risk using source code from
public repo, with Netbeans or not.
On 5/30/20 8:11 AM, Geertjan Wielenga wrote:
> OK, I’ll put together a blog we can refer to that will say this —
> “research has been done on GitHub that identified 26 small Ant-based
> Java projects, mostly games, some of them by the same person, none of
> the projects appeared to be enterprise/pr
Sure, there is no need to be defensive. But, there really isn’t — the
research has identified nothing that NetBeans can do or has any control
over at all. Any project’s build process can be impacted by malware. 26 of
these have been identified on GitHub — which happened to make use of
Ant-based Net
Yes, this could be good publicity right before the release!
--emi
sâm., 30 mai 2020, 16:57 Emma Atkinson a scris:
> I wouldn't treat this as a negative thing about which to be defensive. It
> can be positive and show the team in a good light.
>
> Here's a suggestion
>
> We are aware of news
I wouldn't treat this as a negative thing about which to be defensive. It
can be positive and show the team in a good light.
Here's a suggestion
We are aware of news report ... etc.
We contacted the researchers behind the news. They found 26 infected
projects. The owners have been contacted
OK, I’ll put together a blog we can refer to that will say this — “research
has been done on GitHub that identified 26 small Ant-based Java projects,
mostly games, some of them by the same person, none of the projects
appeared to be enterprise/professional, that had been infiltrated by
malware. The
Note this is not a CVE since it's not a NetBeans vulnerability.
Executing any build will run with the local user privileges on any popular
IDE and injecting something dubious in a build is trivial.
Still, I think GitHub could have approached the Apache security team so the
NetBeans PMC has a repl
LOL, still, why so much enphasis on ant with Netbeans? Just throwing out
ideas but could IDEA be behind this? given Netbeans 12 is around the corner?
It seems to me like we should put out a blog entry with some response to
this. Just so that we have a central point to refer to when people ask
about this.
However, I have no idea what that blog entry should say, beyond “if someone
wants to do so, they can inject malware into the build process of
Should someone from the Apache Netbeans governing team, approach Microsoft
for information on this matter?
I would have thought Microsoft GitHub would welcome any approach that might
go some way toward tackling the problem. Knowing details should enable the
Netbeans and NetbeansIDE communities to
I'm leaning towards this being a student project honestly. Why would a
company developing a legacy project grab random unknown Ant-based
projects from GitHub?
But NetBeans is used a lot for teaching and I suspect teachers don't
introduce Maven / Gradle since they are more complex and they use the
The odds that a virus scanner would have a pattern for something like
this are very low indeed, so in this specific case I doubt it would make
a difference. However, excluding paths for any reason leaves an aperture
open that could be exploited.
The targeted attacks I've seen are amazingly spe
No, because it targets the project folders and the build artifacts,
not the NetBeans JARs themselves.
--emi
On Fri, May 29, 2020 at 11:33 PM Juan Algaba wrote:
>
> I wonder if excluding netbeans from antivirus scanning (for performance
> reasons), but not the project folders, make you more at r
I wonder if excluding netbeans from antivirus scanning (for performance
reasons), but not the project folders, make you more at risk to something
like this?
On Fri, May 29, 2020 at 12:40 PM Alan
wrote:
> The malware is oddly focused. I suspect a specific group was being
> targeted. If eventually
The malware is oddly focused. I suspect a specific group was being
targeted. If eventually GitHub releases the project names that might
provide a clue.
On 2020-05-29 15:30, Emilian Bold wrote:
so I guess this is all just about me. :-)
Hehe.
Still, they worked too much to target Ant and Net
> so I guess this is all just about me. :-)
Hehe.
Still, they worked too much to target Ant and NetBeans. I think the
Gradle wrapper is a much easier target and developers will run
./gradlew without a 2nd tought.
--emi
On Fri, May 29, 2020 at 10:25 PM Geertjan Wielenga wrote:
>
>
> Sure, thos
Sure, those are simply Ant files.
I also wonder about the 26 open source projects they refer to on GitHub,
without naming them, where this problem was encountered. I have about that
number of NetBeans projects in my GitHub repo, so I guess this is all just
about me. :-)
Gj
On Fri, 29 May 2020 at
Seems near-impossible for this to actually be in the wild.
According to
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
macOS developer machines seem unaffected. For Linux / Windows
developer machines look for:
* nbproject/cache.dat files
* $HOME/.local/s
The malware explicitly targets NetBeans:
The malware is capable of identifying the NetBeans project files and embedding
malicious payload both in project files and build JAR files. Below is a high
-evel description of the Octopus Scanner operation:
• Identify user's NetBeans directory
On 5/29/20 2:16 PM, Geertjan Wielenga wrote:
It seems to be saying that a build system that uses Apache Ant can be
poisoned by malware. That probably is equally true for Gradle and
Apache Maven — so I don’t understand why they’re picking on Ant.
Probably because Ant was the standard in Net
It seems to be saying that a build system that uses Apache Ant can be
poisoned by malware. That probably is equally true for Gradle and Apache
Maven — so I don’t understand why they’re picking on Ant.
Gj
On Fri, 29 May 2020 at 21:09, Peter Steele wrote:
> Hi
>
> Saw this
>
>
> https://www.zdnet
21 matches
Mail list logo
