On January 7th, Sonatype became aware of 3 malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020.
As soon as the company became aware of the issue, we immediately blocked access to, and removed these components from the Central Repository and then initiated a thorough investigation into the incident.
The three component GAVs, tracked by their respective Sonatype vulnerability identifiers, are:
| Group ID |
Artifact ID |
Version(s) |
Vulnerability Tracking Identifier |
| com.github.codingandcoding |
maven-compiler-plugin |
3.9.0 |
sonatype-2021-0012 |
| com.github.codingandcoding |
mail-watcher-plugin |
1.16, 1.17 |
sonatype-2021-0013 |
| com.github.codingandcoding |
servlet-api |
3.2.0 |
sonatype-2021-0014 |
