Comment by p3rspective
4 days ago
Make no mistake, Maven Central does get multiple malware components uploaded each year, though not nearly to the same extent as npm or pypi. Sonatype (my former employer) just doesn't report on these publicly each time it happens. It's not an isolated problem but certainly harder to do with maven.
I assume you're talking about malware uploaded to new artifact coordinates (possibly named so as to try to confuse users), not hijacking of existing artifact coordinates (group ID, artifact ID)?
generally yes, although hijacking can and has happened on Central with expired maintainer domains reclaimed by threat actor who can then republish malicious versions of a previously legit group/artifact ID. there's also the problem of mirrors or copies of hijacked npm being replicated on Central -https://x.com/SocketSecurity/status/1993389518247149907