Malicious Package Affecting com.github.codingandcoding:maven-compiler-plugin package, versions [0,]

Q: How to fix?

<p>Avoid using <code>com.github.codingandcoding:maven-compiler-plugin</code> altogether.</p>

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-COMGITHUBCODINGANDCODING-1059413
published 14 Jan 2021
disclosed 13 Jan 2021
credit Sonatype Security Research Team

Report a new vulnerability Found a mistake?

Introduced: 13 Jan 2021

Malicious CWE-506 Open this link in a new tab

How to fix?

Avoid using com.github.codingandcoding:maven-compiler-plugin altogether.

Overview

com.github.codingandcoding:maven-compiler-plugin is a malicious package.

Affected versions of this package are vulnerable to Malicious Package. Within the JAR of this component, the malicious code exists in the execute() method of the CompilerMojo.class file, which contains a hardcoded C2 server link.

References

Blog