Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

This rule detects GuardDog findings that indicate package dependencies using custom scripts that run automatically during the dependency lifecycle, most commonly at installation time.

Strategy

This rule monitors GuardDog logs for findings associated with the following behaviors:

• Use of custom npm preinstall, install, and postinstall scripts.
• Use of custom PyPI Setuptools install hooks.
• Use of custom Rubygems install hooks.

Custom lifecycle scripts are a common mechanism by which malicious open source packages achieve initial code execution on victim systems. While these behaviors are not inherently malicious, dependencies that use custom lifecycle scripts warrant additional scrutiny.

Triage and response

• Review the GuardDog finding in the scan logs and inspect the source code of the custom lifecycle script.
• If the dependency is found to be malicious:
  • Immediately remove all instances from your system.
  • Rotate any affected credentials and perform an assessment of potential spread.
  • Consider reporting the malicious dependency to the package registry where it is hosted.