JLLeitschuh/SecurityPlugin.java

## build.gradle.kts
plugins {
    java
    id("com.gradle.plugin-publish") version "0.9.10"
    id("java-gradle-plugin")
}

group = "org.jlleitschuh.testing.security"
version = "0.4.1"

dependencies {
    compileOnly(gradleApi())
}

gradlePlugin {
    (plugins) {
        "securityPlugin" {
            /*
             * This is the plugin that the user is already using.
             */
            id = "org.jlleitschuh.testing.security-plugin"
            implementationClass = "org.jlleitschuh.testing.security.SecurityPlugin"
        }

        "securityPluginTemp" {
            /*
             * This is just an unused plugin here to make the com.gradle.plugin-publish
             * and java-gradle-plugin happy as well as the Gradle Plugin Portal when
             * we go to upload our malicious plugin.
             */
            id = "org.jlleitschuh.testing.security-plugin.tmp"
            implementationClass = "org.jlleitschuh.testing.security.SecurityPlugin"
        }
    }
}

pluginBundle {
    description = "Useless security testing."

    vcsUrl = "https://github.com/JLLeitschuh/gradle-testing"
    website = "https://github.com/JLLeitschuh/gradle-testing"
    tags = listOf("dont-use")

    (plugins) {
        "securityPlugin" {
            /*
             * Note how I'm declaring two plugins above but only publishing one
             * plugin here.
             * This is because the Gradle Plugin Portal used to only validate that
             * the id of the plugin portal was not taken, but not the group.
             */
            id = "org.jlleitschuh.testing.security-plugin.tmp"
            displayName = "Security testing plugin"
        }
    }
}

## SecurityPlugin.java
package org.jlleitschuh.testing.security;

import org.gradle.api.Plugin;
import org.gradle.api.Project;

public class SecurityPlugin implements Plugin<Project> {
    @Override
    public void apply(final Project target) {
        target.getLogger().lifecycle("A security plugin. I'm malicious!");
    }
}
	plugins {
	java
	id("com.gradle.plugin-publish") version "0.9.10"
	id("java-gradle-plugin")
	}

	group = "org.jlleitschuh.testing.security"
	version = "0.4.1"

	dependencies {
	compileOnly(gradleApi())
	}

	gradlePlugin {
	(plugins) {
	"securityPlugin" {
	/*
	* This is the plugin that the user is already using.
	*/
	id = "org.jlleitschuh.testing.security-plugin"
	implementationClass = "org.jlleitschuh.testing.security.SecurityPlugin"
	}

	"securityPluginTemp" {
	/*
	* This is just an unused plugin here to make the com.gradle.plugin-publish
	* and java-gradle-plugin happy as well as the Gradle Plugin Portal when
	* we go to upload our malicious plugin.
	*/
	id = "org.jlleitschuh.testing.security-plugin.tmp"
	implementationClass = "org.jlleitschuh.testing.security.SecurityPlugin"
	}
	}
	}

	pluginBundle {
	description = "Useless security testing."

	vcsUrl = "https://github.com/JLLeitschuh/gradle-testing"
	website = "https://github.com/JLLeitschuh/gradle-testing"
	tags = listOf("dont-use")

	(plugins) {
	"securityPlugin" {
	/*
	* Note how I'm declaring two plugins above but only publishing one
	* plugin here.
	* This is because the Gradle Plugin Portal used to only validate that
	* the id of the plugin portal was not taken, but not the group.
	*/
	id = "org.jlleitschuh.testing.security-plugin.tmp"
	displayName = "Security testing plugin"
	}
	}
	}
	package org.jlleitschuh.testing.security;

	import org.gradle.api.Plugin;
	import org.gradle.api.Project;

	public class SecurityPlugin implements Plugin<Project> {
	@Override
	public void apply(final Project target) {
	target.getLogger().lifecycle("A security plugin. I'm malicious!");
	}
	}