A flaw was found in the Maven Archetype Plugin. Archetype integration testing can create a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains sensitive information or credentials. When the user runs mvn verify again without a mvn clean, this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository, whether as a release or a snapshot, their credentials would be published without them knowing.