Researchers at GitHub have identified 26 projects on GitHub that have been infected by malware[1]. The initial point of infection is undetermined and all activity with the malware has been shut down. The malware relied on project templates generated by Apache NetBeans using an older customized Apache Ant-based build system that has been in limited use since 2006. This does not impact users of other build systems like Apache Maven or Gradle or even most Apache Ant users. The majority of Apache NetBeans projects leverage native build tool integrations that are shared with continuous integration systems. With over 44 million repositories hosted on GitHub[2], the scope of these 26 projects looks isolated, these projects have been set to private, and their owners contacted, while GitHub has not had reason to contact the NetBeans community about this, indicating that this has no significant impact on the NetBeans community.

Note: Software Supply Chain attacks are not unique to any IDE and the NetBeans community will continue to monitor the threat landscape to keep developers safe and aware. Be aware[3] that any build system that you use when developing applications, with any IDE or build system, can be infiltrated by malware. Always make sure that the files you check into your versioning system are your own or that you know where they come from and what they do.

Related references:

  1. https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
  2. https://www.zdnet.com/article/github-tops-40-million-developers-as-python-data-science-machine-learning-popularity-surges/
  3. http://wiki.apidesign.org/wiki/Malware