“in the programdata folder this pseudo - detection analytic identifies the windows command processor cmd. exe being used to execute a binary in the programdata folder. adversaries, including those behind recent email bombing campaigns, can leverage the programdata folder for stagi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
96%
“compromises. key recommendations include enabling two - factor authentication ( 2fa ) for any accounts with publishing rights to the npm package repository, and using a local npm proxy to cache known good npm packages for use internally. this caching strategy can be combined with…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
89%
“intelligence insights : april 2026 highlights from march coming in at number 1 on this month ’ s top 10 most prevalent threat list is activity related to march 2026 ’ s axios npm compromise. on march 30, 2026, security researchers discovered that the widely - used npm package axi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
61%
“, teampcp is the threat group behind a months - long supply chain campaign that has also targeted github actions, docker hub, npm, openvsx, and pypi. finally, last month red canary observed an increase in microsoft teams phishing paired with email bombing. this is not a wholly ne…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
60%
“installation. these email bombing campaigns generally follow the same pattern as previously seen campaigns : - it begins with flooding a victim ’ s inbox with hundreds of spam emails. note : it is not uncommon for multiple users in the same environment to be targeted simultaneous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
57%
“\ arm \ { guid } the adversaries frequently use c : \ programdata \ adobe \ arm \ { guid } for their initial file writes and, farther along in the attack chain, for dll sideloading. there could be several reasons they leverage this directory : programdata is a hidden directory by…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
47%
“context for your team around legitimate but abused tools like rmms. - leverage resources like our social engineering trends user awareness guide to raise awareness across your organization on what to look for and who to contact if a user falls victim to email bombing. - institute…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1667Email Bombing
42%
“installation. these email bombing campaigns generally follow the same pattern as previously seen campaigns : - it begins with flooding a victim ’ s inbox with hundreds of spam emails. note : it is not uncommon for multiple users in the same environment to be targeted simultaneous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
38%
“installation. these email bombing campaigns generally follow the same pattern as previously seen campaigns : - it begins with flooding a victim ’ s inbox with hundreds of spam emails. note : it is not uncommon for multiple users in the same environment to be targeted simultaneous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
35%
“intelligence insights : april 2026 highlights from march coming in at number 1 on this month ’ s top 10 most prevalent threat list is activity related to march 2026 ’ s axios npm compromise. on march 30, 2026, security researchers discovered that the widely - used npm package axi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
34%
“installation. these email bombing campaigns generally follow the same pattern as previously seen campaigns : - it begins with flooding a victim ’ s inbox with hundreds of spam emails. note : it is not uncommon for multiple users in the same environment to be targeted simultaneous…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
32%
“intelligence insights : april 2026 highlights from march coming in at number 1 on this month ’ s top 10 most prevalent threat list is activity related to march 2026 ’ s axios npm compromise. on march 30, 2026, security researchers discovered that the widely - used npm package axi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Poisoned packages and pipeline perils in this month's edition of Intelligence Insights.