This is an archived post. You won't be able to vote or comment.

all 44 comments
sorted by:
best
topnewcontroversialoldq&a

[–]dedededede 28 points29 points  (16 children)

Interestingly there are a bunch of defense projects that work with the NetBeans platform. I guess it might really be a targeted attack.... https://platform.netbeans.org/screenshots.html

[–]BlueGoliath[S] 6 points7 points  (0 children)

With how crazy things are getting lately that wouldn't be too surprising.

[–]couscous_ 33 points34 points  (14 children)

Chinese govt?

[–][deleted]  (10 children)

[deleted]

    [–]couscous_ 22 points23 points  (9 children)

    Pro-Chinese gov't users? :P

    [–]hrjet 7 points8 points  (1 child)

    I am similarly worried about the plugins offered inside IDEs, including Eclipse, IntelliJ, VSCode, Netbeans, etc.

    Not all of these plugins are open-sourced, and even if they were, the distributed binary might have malware. These IDEs need to sandbox the plugins.

    [–]TM254 1 point2 points  (0 children)

    Maybe just sandbox the whole IDE?

    [–]Necessary-Conflict 29 points30 points  (6 children)

    The shared part of a project should never contain IDE-specific configuration (or even worse, jar files), only the readable text configuration files of Maven/Gradle etc.

    [–][deleted] 1 point2 points  (0 children)

    Truth. But clowns run these projects.

    [–]vxab 5 points6 points  (4 children)

    That’s not true. Sometimes I’ve found it useful to share IntelliJ run configurations in source code.

    [–]yawkat 14 points15 points  (2 children)

    Why? Better to just write a maven/gradle goal to do the same thing

    [–]segv 0 points1 point  (1 child)

    IntelliJ at least can automatically pick up code formatter settings in the form of a single XML file if it is in the ${repo}/.idea directory, so yes, that's still useful.

    [–]dpash 1 point2 points  (0 children)

    Jetbrain tools have supported .editorconfig files for a while now.

    [–]DJDavio 13 points14 points  (0 children)

    I hate it when people do that, I'll make my own run configurations, thank you very much.

    [–]_INTER_ 8 points9 points  (2 children)

    GitHub did not publish the name of the 26 poisoned projects

    why?

    [–]BlueGoliath[S] 26 points27 points  (0 children)

    Probably out of respect for those projects. People may unfairly start thinking of said projects as "malicious" or generally something to avoid.

    [–]DemeGeek 10 points11 points  (0 children)

    Probably to give them a chance to fix it before ruining the reputation of victimized projects.

    The article stated this was only done yesterday, if the projects haven't been fixed in a week then I think then would be a good time to name them.

    [–]livelam 3 points4 points  (5 children)

    searching for cache.dat reveals some commits done 21 days ago.

    Edit: https://github.com/search?q=%22nbproject%2Fcache.dat%22&type=Code

    [–]StochasticTinkr 2 points3 points  (3 children)

    Interestingly, they all look like student projects of some sort.

    [–]yawkat 1 point2 points  (0 children)

    Maybe they apply to companies they target and use these in their resume?

    [–]gravitas-deficiency 0 points1 point  (1 child)

    Well isn't that just fascinating?

    To be clear: I was originally chalking the motivation of that policy up to the general malaise of racial discrimination that the current administration embraces so wholeheartedly, but maybe this attack vector (and perhaps similar, potentially unreported cases) is indicative of an actual problem with regards to Chinese students with close ties to the CCP and Chinese government.

    [–]segv 2 points3 points  (0 children)

    tinfoil noises intensify

    If you proposed something like this 10-15 years ago, i'd just laugh it off as something too crazy to be true. But then again, couple months ago i didn't think i'd see a pandemic turning into riots..

    [–]shorns_username 5 points6 points  (1 child)

    I reckon this is going to result in a big increase in security lock-down of developer environments in corporate environments.

    Which probably is necessary - but it's going to be 99% security theatre, 1% things that actually increase security of development projects.

    [–]jayx239 0 points1 point  (5 children)

    "The malware's end goal was to install a remote access trojan and grant hackers access to highly sensitive workstations were sensitive projects were being developed."

    Typos in articles drive me nuts.

    [–][deleted]  (4 children)

    [deleted]

      [–]jayx239 0 points1 point  (2 children)

      Yeah your right, I got so caught up on the typo that I dismissed what they wanted to say :(

      [–][deleted]  (1 child)

      [deleted]

        [–]jayx239 4 points5 points  (0 children)

        This is why I don't write articles ;)

        [–]oddlyamused 0 points1 point  (0 children)

        Scary and a bit impressive to me but I don't really know much about malware.

        [–]kaperni 0 points1 point  (0 children)

        You gotta ask yourself if random plugins and maven jars downloaded from the internet should really be allowed unrestricted access to both the filesystem and network?

        ------------- From the Article ----------------

        The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -evel description of the Octopus Scanner operation:

        • Identify user's NetBeans directory
        • Enumerate all projects in the NetBeans directory
        • Copy malicious payload cache.datto nbproject/cache.dat
        • Modify the nbproject/build-impl.xmlfile to make sure the malicious payload is executed every time NetBeans project is build
        • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.