cti/enterprise-attack/attack-pattern/attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720.json

{
    "type": "bundle",
    "id": "bundle--6f5033ef-1245-4d8f-a621-7873de57136a",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720",
            "created": "2020-03-11T14:13:42.916Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1195/001",
                    "external_id": "T1195.001"
                },
                {
                    "source_name": "Palo Alto Networks GitHub Actions Worm 2023",
                    "description": "Asi Greenholts. (2023, September 14). The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree. Retrieved May 22, 2025.",
                    "url": "https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/"
                },
                {
                    "source_name": "Meyer PyPI Supply Chain Attack Uncovered",
                    "description": "Darren Meyer. (2025, May 28). PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion. Retrieved September 24, 2025.",
                    "url": "https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/"
                },
                {
                    "source_name": "Ahmed Backdoors in Python and NPM Packages",
                    "description": "Deeba Ahmed. (2025, June 2). Backdoors in Python and NPM Packages Target Windows and Linux. Retrieved September 24, 2025.",
                    "url": "https://hackread.com/backdoors-python-npm-packages-windows-linux/"
                },
                {
                    "source_name": "MANDVI Malicious npm and PyPI Packages Disguised",
                    "description": "MANDVI. (2025, April 22). Malicious npm and PyPI Packages Disguised as Dev Tools to Steal Credentials. Retrieved September 24, 2025.",
                    "url": "https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools"
                },
                {
                    "source_name": "Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025",
                    "description": "Omer Gilm Aviad Hahami, Asi Greenholts, and Yaron Avital. (2025, March 20). GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment . Retrieved May 22, 2025.",
                    "url": "https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack"
                },
                {
                    "source_name": "OWASP CICD-SEC-4",
                    "description": "OWASP. (n.d.). CICD-SEC-4: Poisoned Pipeline Execution (PPE). Retrieved May 22, 2025.",
                    "url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution"
                },
                {
                    "source_name": "The Hacker News PyPi Revival Hijack 2024",
                    "description": "Ravie Lakshmanan. (2024, September 4). Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack. Retrieved May 22, 2025.",
                    "url": "https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html"
                },
                {
                    "source_name": "Bitdefender NPM Repositories Compromised 2021",
                    "description": "Silviu Stahie. (2021, November 8). Popular NPM Repositories Compromised in Man-in-the-Middle Attack. Retrieved May 22, 2025.",
                    "url": "https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack"
                },
                {
                    "source_name": "Trendmicro NPM Compromise",
                    "description": "Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019.",
                    "url": "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets"
                },
                {
                    "source_name": "Checkmarx-oss-seo",
                    "description": "Yehuda Gelb. (2024, April 10). New Technique to Trick Developers Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.",
                    "url": "https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:48:27.436Z",
            "name": "Compromise Software Dependencies and Development Tools",
            "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)(Citation: Bitdefender NPM Repositories Compromised 2021)(Citation: MANDVI Malicious npm and PyPI Packages Disguised) This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries.(Citation: The Hacker News PyPi Revival Hijack 2024) Adversaries may also employ \"typosquatting\" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.(Citation: Ahmed Backdoors in Python and NPM Packages)(Citation: Meyer PyPI Supply Chain Attack Uncovered)(Citation: Checkmarx-oss-seo)\n\nAdditionally, CI/CD pipeline components, such as GitHub Actions, may be targeted in order to gain access to the building, testing, and deployment cycles of an application.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025) By adding malicious code into a GitHub action, a threat actor may be able to collect runtime credentials (e.g., via [Proc Filesystem](https://attack.mitre.org/techniques/T1003/007)) or insert further malicious components into the build pipelines for a second-order supply chain compromise.(Citation: OWASP CICD-SEC-4) As GitHub Actions are often dependent on other GitHub Actions, threat actors may be able to infect a large number of repositories via the compromise of a single Action.(Citation: Palo Alto Networks GitHub Actions Worm 2023)\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "initial-access"
                }
            ],
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_contributors": [
                "Enis Aksu",
                "Joe Gumke, U.S. Bank",
                "Liran Ravich, CardinalOps"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": true,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_version": "1.3"
        }
    ]
}