"MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries"

According to researchers at the mobile security company Oversecured, several public and popular libraries that have been abandoned but are still used in Java and Android applications are vulnerable to a new software supply chain attack method called MavenGate. Access to projects can be hijacked through domain name purchases, and because most default build configurations are vulnerable, determining whether an attack is taking place would be difficult, if not impossible. Exploitation could allow malicious actors to hijack artifacts in dependencies and inject malicious code into the application, or worse, compromise the build process with a malicious plugin. In addition, it has been noted that all Maven-based technologies, including Gradle, are vulnerable. Reports of the vulnerability were sent to over 200 organizations, including Google, Facebook, Amazon, Signal, and Facebook. This article continues to discuss the new MavenGate software supply chain attack.

THN reports "MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries"

Submitted by grigby1