Maven · repo1.maven.org

org.cip4.lib.jdf:JDFLibJ

Java Static Init Side Effect: Static-initializer block contains process/network/reflection — runs on first class load.

Why PkgRadar flagged 2.2.8.9

Severity	Signal	Evidence
high	Java Static Init Side Effect	Static-initializer block contains process/network/reflection — runs on first class load. · org/cip4/jdflib/util/URLReader.java
high	Java Base64 Combo	Base64.decode combined with network / process / defineClass — classic obfuscated payload. · org/cip4/jdflib/util/UrlUtil.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.2.8.9`	High risk	32	2026-06-11

Block this in CI

PkgRadar gates org.cip4.lib.jdf:JDFLibJ (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven org.cip4.lib.jdf:[email protected]