HackerTrans
TopNewTrendsCommentsPastAskShowJobs

p3rspective

no profile record

comments

p3rspective
·8 เดือนที่ผ่านมา·discuss
generally yes, although hijacking can and has happened on Central with expired maintainer domains reclaimed by threat actor who can then republish malicious versions of a previously legit group/artifact ID. there's also the problem of mirrors or copies of hijacked npm being replicated on Central -https://x.com/SocketSecurity/status/1993389518247149907
p3rspective
·8 เดือนที่ผ่านมา·discuss
Make no mistake, Maven Central does get multiple malware components uploaded each year, though not nearly to the same extent as npm or pypi. Sonatype (my former employer) just doesn't report on these publicly each time it happens. It's not an isolated problem but certainly harder to do with maven.