This Dependency Update Looked Exactly Like an Account Takeover
A developer building a dependency scanner noticed that javax.activation dropped its GPG signature between versions — a pattern identical to supply-chain account takeovers like ua-parser-js and event-stream. The investigation revealed a benign cause (Sun-to-Oracle transition), but highlighted a critical blind spot: CVE scanners are lagging indicators and cannot detect compromises before disclosure. To address this gap in the JVM ecosystem, the author built Marshal, an open-source CLI tool (Apache 2.0, Java 21) that scores Maven and Gradle dependency updates on behavioral signals rather than known vulnerabilities. It tracks seven rules including signature drops, new signing keys, dependency count explosions, and repo URL changes. Scores are bucketed GREEN/YELLOW/ORANGE/RED, with RED requiring at least two corroborating signals to reduce false-positive fatigue. The tool integrates with CI via exit codes, supports JSON output, GitHub Actions PR comments, and a strict suppression whitelist with audit trails. v0.2.0 is available now.