Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.
From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.
NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.
Make no mistake, Maven Central does get multiple malware components uploaded each year, though not nearly to the same extent as npm or pypi. Sonatype (my former employer) just doesn't report on these publicly each time it happens. It's not an isolated problem but certainly harder to do with maven.
I assume you're talking about malware uploaded to new artifact coordinates (possibly named so as to try to confuse users), not hijacking of existing artifact coordinates (group ID, artifact ID)?
chha|3 months ago
From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.
NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.
arccy|3 months ago
viraptor|3 months ago
Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4
pimterry|3 months ago
master-lincoln|3 months ago
skwee357|3 months ago
AndroTux|3 months ago
liveoneggs|3 months ago
tonyedgecombe|3 months ago
Perhaps its package owners do.
deafpolygon|3 months ago
unknown|3 months ago
[deleted]
p3rspective|3 months ago
gred|3 months ago
throwawayffffas|3 months ago