Open-source software supply chain attacks aim at infecting downstream users
by poisoning open-source packages. The common way of consuming such artifacts
is through package repositories and the development of vetting strategies to
detect such attacks is ongoing research. Despite its popularity, the Java
ecosystem is the less explored one in the context of supply chain attacks.
In this paper we present indicators of malicious behavior that can be
observed statically through the analysis of Java bytecode. Then we evaluate how
such indicators and their combinations perform when detecting malicious code
injections. We do so by injecting three malicious payloads taken from
real-world examples into the Top-10 most popular Java libraries from
libraries.io.
We found that the analysis of strings in the constant pool and of sensitive
APIs in the bytecode instructions aid in the task of detecting malicious Java
packages by significantly reducing the information, thus, making also manual
triage possible
