Numerous Android and Java apps leveraging abandoned open-source libraries, including all technologies based on Apache Maven, could be compromised through the novel MavenGate software supply chain attack technique, reports The Hacker News.
Threat actors could leverage MavenGate method to facilitate dependency artifact takeovers and malicious code injections, as well as build process compromise without being detected, a report from Oversecured revealed.
"An attacker can gain access to a vulnerable groupId by asserting their rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists. If a groupId is already registered with the repository, an attacker can attempt to gain access to that groupId by contacting the repository's support team," said researchers.
Such findings should prompt more accountability for developers, researchers said.
"Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies," added researchers.