SBN

Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community

On January 7th, Sonatype became aware of 3 malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020. 

Upon becoming aware of the issue, we immediately blocked access to those components removed them from the Central Repository, and initiated a thorough investigation of the incident.

The three component GAVs, tracked by their respective Sonatype vulnerability identifiers, are:

Group ID

Artifact ID

Version(s)

Vulnerability Tracking Identifier

com.github.codingandcoding

maven-compiler-plugin

3.9.0

sonatype-2021-0012

com.github.codingandcoding

mail-watcher-plugin

1.16, 1.17

sonatype-2021 0013

com.github.codingandcoding

servlet-api 

3.2.0

sonatype-2021-0014

 

These malicious components that attempted to impersonate legitimate Jenkins and Maven plugins by using the same Artifact names were downloaded 846 times in the 10 days since they were published. During the same period, the legitimate Jenkins and Maven plug-ins were downloaded a total of 23 million times.

These discoveries come to light in the wake of Sonatype’s repeated warnings about threat actors targeting various open-source ecosystems with typosquatting and brandjacking malware.

Typosquatting and brandjacking software supply chain attacks like these capitalize on the reputation built by existing brands and open source projects.These attacks bank on an unsuspecting developer pulling malware into their software supply chain by mistaking it for the legitimate component with an identical Artifact name (though using a different group identifier). Similarly to the recent SolarWinds’ Orion attack, bad actors hope to infiltrate trusted software development and distribution mechanisms without a software development team’s knowledge.

Upon identifying the component, Sonatype acted swiftly to address this issue because, as the stewards of the Central Repository, we understand the severity of such malicious components being made available for download by unsuspecting developers.

Maven Namespacing as it relates to Brandjacking and permissions for publishing to Central.

Sonatype’s Maven (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sonatype Security Research Team. Read the original post at: https://blog.sonatype.com/malware-removed-from-maven-central