Gradle Wrapper Supply Chain Attack

Gradle, Inc. has reported that MinecraftOnline had malicious Gradle Wrapper JARs in some of their repositories.

I warned about this sort of possibility six years ago and off and on thereafter.

I’ll re-up the same sorts of points that I have made before:

  • Do not use the Gradle Wrapper from an arbitrary project that you grab off of GitHub or elsewhere on the Internet. Delete it or replace it with a locally-generated wrapper (gradle wrapper command).

  • Consider not publishing the Gradle Wrapper in your projects. Historically, I would publish, but not the actual Gradle Wrapper JAR and scripts.