Malicious packages reported in JCenter
Incident Report for Bintray
Postmortem

Course of events

  • In July 2017, a user impersonating Jake Wharton asked to include a package in JCenter.

  • The package was valid from a technical perspective (including sources and a license, etc), but also contained malicious code.

  • The Support team members who were reviewing the inclusion request failed to detect the impersonation and approved the package to be included in JCenter.

  • In February 2018, according to Marton Braun, he and others reported the fake package as an abuse using the Bintray reporting system.

  • Apparently these abuse report messages did not reach our monitoring system, due to a technical failure, causing the Bintray team not to receive the reports.

  • In December 2018, Marton published a blog post raising the issue to the public attention.

Remediation

We tackled the issue on two levels:

From a technical perspective:

  • Once we saw the blog, we immediately banned the fake user from Bintray and removed the malicious packages created by them, including any links to these packages in JCenter (please see the list of the deleted files below).

  • We improved the observability of the reporting system by adding monitoring alerts and more logs. As Bintray relies on community feedback (like what Marton tried to do back in February), we can’t allow this input to be lost again.

From a process and organizational perspective:

  • We have refreshed the inclusion request process with the Support team. This process includes steps to deal with impersonation attempts, which were not followed.

  • In parallel, we are creating a dedicated moderation team to focus primarily on closer inspection and moderation of inclusion requests, including investigation and validation of authors and their claims on the namespace of published content.

  • Swift turnaround for community moderation signals, coming not only from the Bintray reporting system but also from social channels, such as Twitter, etc.

We apologize to the community, and to Jake Wharton in person, (as the impersonated party) for this incident, and we would like to thank Marton Braun and others for their persistency in bringing this to our attention. We are investing our best efforts to make sure that such incidents do not recur n in the future while allowing Bintray and JCenter to keep providing this important service to the community.

Below is the list of files which were uploaded by the fake user:

/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0.pom
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0.aar
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0-sources.jar
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/0.3.0/AndroidAudioRecorder-0.3.0-javadoc.jar
/jakewhaarton/timber/com/squareup/picaso/picaso/maven-metadata.xml.md5
/jakewhaarton/timber/com/squareup/picasso/picaso/maven-metadata.xml.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttp/async-http/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http-client-netty-utils/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http-project/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-bp/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-codec-dns/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-resolver-dns/maven-metadata.xml.md5
/jakewhaarton/timber/org/asynchttpclient/netty-resolver/maven-metadata.xml.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/maven-metadata.xml.md5
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/maven-metadata.xml.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/maven-metadata.xml.md5
/jakewhaarton/timber/com/github/adrielcafe/AndroidAudioRecorder/maven-metadata.xml
/jakewhaarton/timber/com/jakewharton/timber/maven-metadata.xml
/jakewhaarton/timber/com/squareup/picaso/picaso/maven-metadata.xml
/jakewhaarton/timber/com/squareup/picasso/picasso/maven-metadata.xml
/jakewhaarton/timber/de/halfbit/pinned-section-listview/maven-metadata.xml
/jakewhaarton/timber/org/asynchttp/async-http/maven-metadata.xml
/jakewhaarton/timber/org/asynchttpclient/async-http/maven-metadata.xml
/jakewhaarton/timber/org/bitcoinj/bitcoinj/maven-metadata.xml
/jakewhaarton/timber/org/ethereum/ethereumj/maven-metadata.xml
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/maven-metadata.xml
/jakewhaarton/timber/org/litecoinj/litecoinj/maven-metadata.xml
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.4/bitcoinj-0.14.4-bundled.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.3/bitcoinj-0.14.3-bundled.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.pom.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.pom
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-sources.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-sources.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-javadoc.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-javadoc.jar
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-bundled.jar.md5
/jakewhaarton/timber/org/bitcoinj/bitcoinj/0.14.2/bitcoinj-0.14.2-bundled.jar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1.pom
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1.aar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.1.1/timber-4.1.1-javadoc.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0.pom
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0.aar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.0/timber-4.5.0-javadoc.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1.pom
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1.aar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1-sources.jar
/jakewhaarton/timber/com/jakewharton/timber/4.5.1/timber-4.5.1-javadoc.jar
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/0.85/litecoinj-parent-0.85.pom.md5
/jakewhaarton/timber/org/litecoinj/litecoinj-parent/0.85/litecoinj-parent-0.85.pom
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.pom.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.pom
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.jar.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85.jar
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85-sources.jar.md5
/jakewhaarton/timber/org/litecoinj/litecoinj/0.85/litecoinj-0.85-sources.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.pom.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.pom
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-tests.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-tests.jar
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-sources.jar.md5
/jakewhaarton/timber/org/asynchttpclient/async-http/2.0.38/async-http-2.0.38-sources.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.pom.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.pom
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-tests.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-tests.jar
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-sources.jar.md5
/jakewhaarton/timber/org/asynchttp/async-http/2.0.38/async-http-2.0.38-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.5.0-RELEASE/ethereumj-1.5.0-RELEASE-javadoc.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.3-RELEASE/ethereumj-1.6.3-RELEASE-javadoc.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.zip
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.tar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.pom
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE-sources.jar
/jakewhaarton/timber/org/ethereum/ethereumj/1.6.0-RELEASE/ethereumj-1.6.0-RELEASE-javadoc.jar
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.pom.md5
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.pom
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.jar.md5
/jakewhaarton/timber/com/squareup/picaso/picaso/2.5.2/picaso-2.5.2.jar
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.pom.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.pom
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.jar.md5
/jakewhaarton/timber/com/squareup/picasso/picasso/2.5.2/picasso-2.5.2.jar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0.pom
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0.aar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0-sources.jar
/jakewhaarton/timber/de/halfbit/pinned-section-listview/1.0.0/pinned-section-listview-1.0.0-javadoc.jar

Posted 5 months ago. Jan 16, 2019 - 23:45 UTC

Resolved
This incident has been resolved.
Posted 6 months ago. Dec 12, 2018 - 08:00 UTC