The GitHub security blog warned of an open source supply chain attack on Octopus Scanner for the Apache NetBeans IDE project. GitHub said it received a warning on March 9 from security researchers known as JJ that it had found an open source library infected with the malicious Octopus Scanner.
Once infected, the malicious program looks for the NetBeans project on the user’s development system and then embeds the malicious load into the project file, performing the malicious load each time the project is built.
GitHub then launched an investigation and found that 26 open source projects were implanted in the Octopus Scanner backdoor.
GitHub says it uploaded samples to VirusTotal, and only four of the 60 antivirus software can detect it. A malicious program masquerades as an ocs.txt file, but is actually a JAR (Java Archive) file.