Folks, A colleague is preparing a presentation on general dependency security issues. I'm not aware of any compromises of the Maven repo system such that a malicious actor was able to push malware to client systems, but I'm not sure it's never happened.
Does anyone know about anything like the attack on npm a couple of years ago <https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets> that happened in the Java space? Even if something just went a little wonky in a way that could have been used to serve malware but wasn't, that would be almost as interesting. Of course, I'd love for the answer to be, "No, that's never happened to Java, and it can't because..." I suspect we're a little more resistant to these classes of attacks than npm because version ranges are far less common. However, I can't think of anything that would prevent someone from buying and compromising future versions of any particular artifact. It's not like intelligence agencies haven't bought entire companies before, <https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/> and most open source projects could be had for a lot less. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
