Java supply chains face a novel class hijacking threat arising from the interplay between Maven’s dependency resolution order and the JVM’s parent-delegation class-loading mechanism. Method: The authors introduce Maven-Hijack—a stealthy attack that injects malicious bytecode with names identical to critical classes into transitive dependencies; during build-time packaging, Maven’s dependency priority rules and runtime JVM class resolution jointly enable behavioral override without modifying primary code or library identifiers. Contribution/Results: This work pioneers systematic analysis of deep-nested dependency-induced class-name collisions, transcending conventional vulnerability paradigms. The authors develop dynamic dependency-tree instrumentation and reverse class-loading analysis techniques. Empirically, they reproduce the attack on the German Corona-Warn-App server: compromising a lightweight JSON validation library suffices to achieve full database takeover. The study underscores the urgent need for build-time dependency governance and runtime class-loading security verification.

We introduce Java-Class-Hijack, a novel software supply chain attack that enables an attacker to inject malicious code by crafting a class that shadows a legitimate class that is in the dependency tree. We describe the attack, provide a proof-of-concept demonstrating its feasibility, and replicate it in the German Corona-Warn-App server application. The proof-of-concept illustrates how a transitive dependency deep within the dependency tree can hijack a class from a direct dependency and entirely alter its behavior, posing a significant security risk to Java applications. The replication on the Corona-Warn-App demonstrates how compromising a small JSON validation library could result in a complete database takeover.