Are Maven Central and JCenter vulnerable for typosquatting? Can one get malicious dependency by misspelling artifact IDs? What can be done to metigate the risks?
If you using central/JCenter directly (as you mentioned in your comments) I would recommend never to build inside a company infrastructure cause that would open an attack vector (in theory). In such cases always build on an open infrastructure like travis, circleci etc.
If someone want's to place an malicious artifact into Central (I can't speak for JCenter; If I correctly remember more or less the same) based on the scenario you have described this would require an access for a single (bad) person to have access to a known group which contains artifacts which are good known and most important being used on a wide area. This means this bad person needs to have the permission to publish an artifact through the different areas including signing the artifact.
Ok let us assume someone has got over the previous described barriers.
So the artifact needs to be named very similar to other artifacts. And now someone needs to make a particular typo that this particular artifact will be picked up. Second it's needs to be executed somehow (Maybe unit tests/integrations tests might be possible).
So in the end I would say: In theory yes practically very unlikely.
But of course 100% safety is not possible so general advices:
- Transfer always via https (TLSv1.2 at least)
- Check the checksums of the artifacts (fail your build if the checksums do not fit)
- Use review process during development
So I can only recommend to use a repository manager inside a company and of course use a security scanner which checks for known vulnerabilities etc.
Furthermore all repository managers have the option to block any dependencies before using and make a kind of approval process possible inside your company with the drawback of taking time here which "might" buy more safety.