Malicious package installation

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

What happened

A malicious package was installed during a package manager installation process.

Goal

Detect the installation of packages with multiple attack tactics during package installation across npm, pip, gem, composer, cargo, and other package managers.

Strategy

This rule monitors package installations across multiple package managers (npm, yarn, pnpm, bun, pip, uv, pipx, poetry, conda, gem, bundler, composer, cargo) and alerts when multiple attack tactics are observed during the installation process, indicating potential supply chain attacks or malware being executed through post-install scripts, setup.py execution, native extension compilation, or similar install-time code execution mechanisms.

Triage and response

  1. Review the package installation details and identify which package and package manager triggered the alert.
  2. Investigate the tactics observed during installation to understand the nature of the malicious activity (e.g., credential theft, reverse shell, crypto mining).
  3. Check if the package version has been flagged on security advisories (npm advisories, PyPI, RubyGems, etc.).
  4. Remove the malicious package and any artifacts it may have created (e.g., .pth files for pip, compiled extensions for gem).
  5. Follow your organization’s internal processes for investigating and remediating compromised systems.