How GitHub untangled itself from the ‘Octopus’ malware that infected 26 software projects

It's an example of the potentially insidious nature of open-source supply chain compromises.
(Flickr user <a href="">Ben Nuttal</a>)

For GitHub, not all reports about malicious software on its platform are of equal importance.

The company behind the popular software repository, where developers often share code rather than building it from scratch, revealed this week that attackers were trying to exploit the open-source nature of the site to distribute malware. A hacking tool was designed to spread through software projects, then leave a “backdoor” that could offer hackers persistent access to the software.

By infiltrating open-source software, hackers could have given themselves a foothold in code that was later included in corporate apps or websites. Open-source websites continue to represent valuable targets for hackers hoping that technology companies will adopt compromised tools to build their own software. (GitHub claims the site has tens of millions of users.)

In this case, the malicious code — which spread to 26 different GitHub projects — is an example of the potentially insidious nature of open-source supply chain compromises. Dubbed Octopus Scanner, the malware deployed a remote access hacking tool that can be used to gather data. It was spreading through projects that used a popular software called Apache NetBeans, the company said.


“There is a huge potential for escalation of access, which is a core attacker objective in most cases,” GitHub security researcher Alvaro Muñoz wrote in a blog post Thursday.

Leaving the code unattended wasn’t an option because of the access it could provide attackers to other projects and production environments. After being tipped off by an independent researcher, Muñoz and his team had the laborious task of pinpointing the code and removing it from the infected repositories.

Security staffers’ initial plan of contacting the owners of the repositories and telling them to clean up their digital stashes wasn’t enough to contain the malware. They had to dissect the code to see the different files it was infecting, then figure out how to halt its spread.

It is unclear who is behind Octopus Scanner, or what they were after. But it gave Muñoz a headache that he said he hopes won’t return.

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend,” he wrote. In another example, a version of the popular Webmin system configuration tool released last year contained a “backdoor” that someone familiar with the program could have exploited.


Federico Maggi, a senior researcher at cybersecurity company Trend Micro, said the GitHub infections were a reminder of the access that open-source software libraries can give hackers. Maggi recently showed how compromising a different software library could be used to deliver malware to devices in a factory.

“This tactic is very powerful because it gives indirect access to many systems.” Maggi said in an email Friday. “You include a malicious open source library, and anything you build with that included in the chain will run that malicious code.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts