In July 2017, malicious packages were introduced into JCenter after a user successfully impersonated Jake Wharton during an inclusion request. The packages, though technically valid, contained malicious code. The issue persisted for over a year, with reports made in February 2018 failing to reach the Bintray team due to a technical failure in the reporting system.

The primary root cause was the failure of the Support team to detect the impersonation attempt during the package review process. This allowed malicious code to be published under a trusted name. A secondary root cause was a technical failure in the abuse reporting system, which prevented subsequent reports about the malicious packages from being received by the Bintray team.

The presence of malicious code within packages in JCenter meant that any users integrating these dependencies could have been exposed to the malware. The incident highlights a significant security vulnerability within the package repository ecosystem.

Upon public disclosure in December 2018, Bintray immediately banned the fake user and removed all associated malicious packages and links from JCenter. Technical remediation included improving the observability of the reporting system with new monitoring alerts and logs.

From a process and organizational perspective, the inclusion request process for the Support team was refreshed to specifically address impersonation attempts. Additionally, Bintray is establishing a dedicated moderation team to enhance inspection and validation of inclusion requests and authors, aiming for swift response to community moderation signals.