Is Maven a plausible vector of attack?

It certainly was in the past. See http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Maven Central supports HTTPS, as of July 2014.

Maven Central requires PGP signatures for artifacts. There's a plugin to verify the signatures: http://www.simplify4u.org/pgpverify-maven-plugin/index.html

Now, badguy can write a malicious program and sign it with PGP, and it would be verified, so you'll want to check that the PGP signature belongs to an organization / developer that you trust.


  1. Along with the accepted answer, your intranet Maven repository can be poisoned by someone inside your organisation with access to your intranet Maven repository. I would advise applying strict access control to your intranet Maven repository. Many Maven repositories in my experience have a single admin user that many developers know the password to.

  2. "A Cross-Build Injection (XBI)" attack is also possible by poisoning the maven-compiler-plugin which most Maven projects use.

  3. Dilettante is a proxy for exploiting the fact that older versions of Maven still connect via HTTP and not HTTPS.