{"id":31136074,"url":"https://github.com/chains-project/maven-hijack-poc","last_synced_at":"2025-09-18T07:55:37.872Z","repository":{"id":255064752,"uuid":"816427351","full_name":"chains-project/maven-hijack-poc","owner":"chains-project","description":"Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading","archived":false,"fork":false,"pushed_at":"2025-07-02T13:16:52.000Z","size":40074,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-10T00:39:20.489Z","etag":null,"topics":["java","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-17T18:20:28.000Z","updated_at":"2025-09-05T16:26:23.000Z","dependencies_parsed_at":"2025-07-02T13:44:29.560Z","dependency_job_id":null,"html_url":"https://github.com/chains-project/maven-hijack-poc","commit_stats":null,"previous_names":["fredbonux/class-hijack-poc","chains-project/class-hijack-poc","chains-project/maven-hijack-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/chains-project/maven-hijack-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-hijack-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-hijack-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-hijack-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-hijack-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/maven-hijack-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-hijack-poc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274411832,"owners_count":25280193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-10T02:00:12.551Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","supply-chain-security"],"created_at":"2025-09-18T07:55:33.903Z","updated_at":"2025-09-18T07:55:37.864Z","avatar_url":"https://github.com/chains-project.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Maven-Hijack: PoC Repository\n\n## Overview\n\nThis repository contains the Proof-of-Concept (PoC) code and replication scripts for the paper **Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order**.\n\n### Abstract\n\nWe introduce Java-Class-Hijack, a novel software supply chain attack that enables an attacker to inject malicious code by crafting a class that shadows a legitimate class in the dependency tree. This PoC demonstrates the feasibility of the attack and replicates it in the German Corona-Warn-App server application. The attack shows how a transitive dependency deep within the dependency tree can hijack a class from a direct dependency, posing significant security risks to Java applications.\n\n## Repository Structure\n\n```\nclass-hijack-poc\n├── android\n├── java\n│   ├── gradle\n│   └── maven\n│       ├── abstract-project\n│       └── real-project\n│           ├── cwa-server.zip\n│           └── json-schema.zip\n└── php\n├── README.md\n└── LICENSE\n```\n\n### Key Components\n\n- `java/maven/real-project/cwa-server.zip`: Contains the replication of the attack on the Corona-Warn-App backend service.\n- `java/maven/real-project/json-schema.zip`: Contains additional resources needed for the replication.\n- `java/maven/abstract-project`: Abstract project setup demonstrating the class hijacking.\n- `java/gradle`: Gradle-based project setup.\n- `android`: Android-specific implementations.\n- `php`: PHP-specific implementations.\n\n## Getting Started\n\n### Prerequisites\n\n- Java 8 or later\n- Maven 3.6 or later\n- Gradle (for Gradle projects)\n- PHP and Composer (for PHP projects)\n\n## Attack Description\n\nThe attack takes place in two steps:\n\n1. **Crafting a Malicious Class:** The attacker creates a malicious class with the same fully qualified name as a legitimate class.\n2. **Embedding the Malicious Class:** The attacker embeds this malicious class in a dependency that is included earlier in the dependency resolution order.\n\nFor more details, refer to the paper section on the attack methodology.\n\n## Replication in Real-World Project\n\nThe PoC includes scripts to replicate the attack on the Corona-Warn-App backend service (`cwa-server`).\nDetailed instructions to setup and run the application are coming soon.\n\n## Mitigation Strategies\n\nTo mitigate such attacks, consider the following strategies:\n\n- Use dependency management tools that detect and prevent such conflicts.\n- Regularly audit your dependency tree.\n- Implement strict version controls and use trusted repositories.\n- Use Java Modules to avoid package name colisions.\n\n## Contributing\n\nWe welcome contributions to improve this PoC. Please fork the repository and create a pull request with your changes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fmaven-hijack-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fmaven-hijack-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fmaven-hijack-poc/lists"}