The Maven-Hijack attack exploits how the JVM classloader loads the first matching class on the classpath, allowing a compromised dependency to silently override a legitimate class. Dependency Analysis Gradle Plugin (DAGP) 3.5.0 adds binary compatibility checking on top of its existing duplicate-class detection. When duplicate class names are found across multiple JARs, DAGP now checks whether their binary signatures (fields, methods, return types) match. Incompatible duplicates trigger a build failure and a detailed report identifying which dependency is suspicious. The `reason` task explains why a dependency is flagged, and `fixDependencies` can automatically remove the offending dependency from build scripts. Gradle is also noted to be safer than Maven by default since Gradle 7.0 fails builds on duplicate files in archives, whereas Maven silently merges them.
Table of contents
Table of ContentsIntroductionWhat Maven-Hijack actually does #Duplicate classes in Gradle builds #DAGP 3.5.0: binary compatibility for duplicate classes #How this helps against Maven-Hijack-style attacks #Why Gradle is safer by default than Maven #What this means for your builds #DiscussSort: