Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order

TL;DR

Maven-Hijack reveals a new supply chain attack exploiting dependency resolution order in Maven, demonstrating real-world impact and evaluating mitigation strategies like Java Modules and Maven Enforcer.

Contribution

This paper introduces Maven-Hijack, a novel attack exploiting dependency order in Maven, and assesses effective mitigation strategies for Java projects.

Findings

The attack can silently override core application behavior.

Java Modules provide strong protection against the attack.

Maven Enforcer plugin effectively detects duplicate classes.

Abstract

Java projects frequently rely on package managers such as Maven to manage complex webs of external dependencies. While these tools streamline development, they also introduce subtle risks to the software supply chain. In this paper, we present Maven-Hijack, a novel attack that exploits the order in which Maven packages dependencies and the way the Java Virtual Machine resolves classes at runtime. By injecting a malicious class with the same fully qualified name as a legitimate one into a dependency that is packaged earlier, an attacker can silently override core application behavior without modifying the main codebase or library names. We demonstrate the real-world feasibility of this attack by compromising the Corona-Warn-App, a widely used open-source COVID-19 contact tracing system, and gaining control over its database connection logic. We evaluate three mitigation strategies, such as sealed JARs, Java Modules, and the Maven Enforcer plugin. Our results show that, while Java Modules offer strong protection, the Maven Enforcer plugin with duplicate class detection provides the most practical and effective defense for current Java projects. These findings highlight the urgent need for improved safeguards in Java's build and dependency management processes to prevent stealthy supply chain attacks.