Maven does not support "scripts" as NPM does, such as the pre-install script used for this exploit. With scripts enabled, the mere act of downloading a dependency requires a high degree of trust in it.

Downloading a dependency also requires a high degree of trust in whatever transitive dependencies that a trusted dependency decides to pull in.