Maven Typosquatting

ID

typosquatting_maven

Severity

low

Family

Typosquatting

Description

It occurs when the attacker creates an artifact with a group or name similar to a popular, inducing users to install this package inadvertently. This attack strategy is generic and often used with different build managers, including maven.

Security

If the project has the malicious dependency then the code written by the attacker could be executed.

Even the artifact may contain the same functionality as the original and thus go unnoticed and end up running in a production environment.

Examples

pom.xml

  <properties>
    <commons-lang3.version>3.12.0</commons-lang3.version>
  </properties>

  <dependencies>
    <dependency>
        <groupId>apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>${commons-lang3.version}</version>
    </dependency>
  </dependencies>

The groupId apache.commons does not exist.

Mitigation / Fix

Choose the right dependency and be careful when adding new ones.

This tool proposes a popular package to replace the malicious one when it finds such misconfiguration.