Observation:
A number of external repos are having malicious <i>looking</i> repositories being created with the pattern ";[6 alphanum]<ScRiPt>[4 alphanum]([4 num])</;[6 alphanum]". For example ";0MhPC1<ScRiPt>r7kK(9626)</;CD4u6"<p>All appear to be running JFrog Artifactory<p>The remote repos we have identified are:
http://repo.gradle.org/gradle/repo/
https://repo.datastax.com/dse/
https://maven.openflexo.org/artifactory/openflexo-deps/
https://qasymphony.jfrog.io/qasymphony/repo/<p>Possible Scenarios:<p>1 - Someone is running some kind of daily vulnerability scan against these repos. This is inadvertently testing the create repo name field for XSS which is then submitted, creating the repo.<p>2 - Repos are being created for use as a botnet communication channel - pretty clever in my opinion to use remote repos as a means to bypass internal network restriction.<p>Any owners able to tell if the creator is distributed?
As a company working for one of the companies impacted by this weirdness we are just as concerned about the potential implications here as you are. We have followed up with JFrog about this and are waiting for a response from them about this.<p>I'm glad others are seeing these weird things too and it's giving them pause as well.