For most of the last two years, the loudest supply chain attacks lived in npm and PyPI. Java teams watched from a distance and assumed the blast radius stopped at JavaScript and Python. It does not.
When the Shai-Hulud worm came back for its second wave, it did not stay in npm. The same payload that hit PostHog's npm packages also surfaced on Maven Central, where an automated process that re-publishes npm modules as Maven artifacts had rebundled a compromised version before the mirrored copies were purged. Separately, attackers slipped a malicious lookalike of the widely trusted Jackson JSON library into Maven Central, using namespace impersonation and a multi-stage, obfuscated payload to deliver Cobalt Strike to anyone who pulled the wrong coordinate. The Java ecosystem is squarely in scope.
The uncomfortable part is why these attacks work. A compromised version gets published, a build resolves it, and the malicious artifact runs with whatever access that build has, often in CI, often with secrets in reach. The window between "published" and "discovered" is where the damage happens, and traditional vulnerability scanners that wait for an official CVE are usually too slow to help. Java's transitive dependency trees, where a single direct dependency can pull in dozens of indirect ones, only widen the surface.
Until now, StepSecurity customers could close that window for npm and PyPI but not for Maven. Today that changes.
What's new
Maven is now a first-class ecosystem in two places, alongside npm and PyPI.
GitHub Checks
Two new PR Content Security controls bring the same protection Java teams have wanted to the pull request, before a risky dependency ever merges:
- Maven Package Compromised Updates blocks any pull request that introduces or updates a Maven dependency flagged in StepSecurity's compromised-packages database. Because StepSecurity's SOC maintains that database in real time, often ahead of an official CVE, the check can stop a malicious release at the speed of the ecosystem rather than the speed of disclosure.
- Maven Package Cooldown blocks pull requests that add recently published Maven versions until they age beyond a configurable cooldown window. Most malicious releases are caught within the first day or two of publication, so a short waiting period gives the ecosystem and StepSecurity's threat intelligence time to react before the version reaches your build.
Both controls can be set to Required (blocks the merge on failure) or Optional (advisory only), exactly like their npm and PyPI counterparts. If a critical patch genuinely needs to ship inside the cooldown window, the existing Approve All override applies here too.
OSS Package Search
Maven now appears in the Package ecosystem toggle, so when a Maven package is reported compromised, you can immediately answer the only question that matters during an incident: where is it. OSS Package Search finds every place a specific Maven package and version appears across your pull requests, default branches, and developer machines, links CI/CD findings straight to the pull request that introduced the dependency, and lets you export the results to CSV for tracking remediation.
Coming soon
Maven support is launching in GitHub Checks and OSS Package Search first. Two more pieces are on the way:
- Secure Registry will add Maven so that compromised and freshly published Java packages can be blocked at install time, the same way npm and PyPI already are. This extends the cooldown and compromised-package controls from the pull request all the way down to the registry layer, where every build and developer machine fetches its dependencies.
- Dev Machine Guard will add Maven coverage on developer machines, so Java dependencies can be inventoried and audited across your fleet alongside npm and PyPI.
Getting started
Maven controls and search behave just like the npm and PyPI features you already use, so there is nothing new to learn:
- In GitHub Checks, open Configuration, enable Maven Package Compromised Updates and Maven Package Cooldown, set each to Required or Optional, tune the cooldown window, and apply the controls to your repositories.
- In OSS Package Search, select Maven from the Package ecosystem toggle and search for any package across your organization or tenant.
Java has been part of the software supply chain attack surface for a while. Now it is part of the same defenses you already trust for npm and PyPI. For the full picture of how StepSecurity tracks these campaigns, see How Harden-Runner detected Shai-Hulud in CNCF's Backstage repository.
