We introduce Java-Class-Hijack, a novel software supply chain attack that enables an attacker to inject malicious code by crafting a class that shadows a legitimate class that is in the dependency tree. We describe the attack, provide a proof-of-concept demonstrating its feasibility, and replicate it in the German Corona-Warn-App server application. The proof-of-concept illustrates how a transitive dependency deep within the dependency tree can hijack a class from a direct dependency and entirely alter its behavior, posing a significant security risk to Java applications. The replication on the Corona-Warn-App demonstrates how compromising a small JSON validation library could result in a complete database takeover.

翻译：本文介绍了一种新型软件供应链攻击——Java-Class-Hijack，该攻击使攻击者能够通过构造一个遮蔽依赖树中合法类的恶意类来注入恶意代码。我们详细描述了该攻击方法，提供了证明其可行性的概念验证，并在德国Corona-Warn-App服务器应用程序中成功复现。概念验证表明，依赖树深处的传递依赖可以劫持直接依赖中的类并完全改变其行为，这对Java应用程序构成了重大安全风险。在Corona-Warn-App上的复现则证明，攻陷一个小型JSON验证库可能导致完整的数据库接管。