Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1176

T1176Software Extensions

T1176 — Software Extensions is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 7 detection use cases covering it and 34 threat-intel articles citing it.

Persistence
View on the matrix → Filter Detection Library MITRE official spec ↗
7Use cases
34Articles
2Sub-techniques
1Tactic

Sub-techniques (2)

T1176.001 · Browser ExtensionsT1176.002 · IDE Extensions

Use cases covering this technique (7)

Suspicious browser extension installation Internal install · hunting DSΣP [LLM] Non-Chrome process modifies macOS Chrome Preferences (FlutterShell browser hijack) Bespoke actions · hunting DSΣPCS [LLM] Cyberhaven trojanized Chrome extension C2 callback to cyberhavenext.pro Bespoke c2 · alerting DSΣPDDCS [LLM] VS Code child process fetching payload from nrwl/nx orphan commit (Nx Console v18.95.0 dropper) Bespoke install · alerting DSΣPDDCS [LLM] Context.ai compromised Chrome extension installed on host (ID omddlmnhcofjbnbflmjginpjjblphbgk) Bespoke install · alerting DSΣPDDCS [LLM] Solidity Language malicious Cursor/VS Code extension folder created on disk (solidityai.solidity-* and related) Bespoke delivery · alerting DSΣPDDCS [LLM] Browser extension folder write at vulnerable React DevTools 4.27.8 / Vue.js devtools 6.5.0 Bespoke exploit · hunting DSΣPDDCS

Articles citing this technique (34)

med 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic art-04
crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
crit Compromised Rust crate onering performs code exfiltration art-66
crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
high What MDM can't protect on developer machines (and what to do about it) art-186
high Why developer machines are now the number one target for supply chain attacks art-208
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
high Dev Machine Guard Now Supports Linux art-234
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks art-331
high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339
crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345
high It's time to treat browser extensions like supply chain attack vectors art-354
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367
high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
high Glassworm Strikes Popular React Native Phone Number Packages art-466
high From detection to prevention: How Zen stops IDOR vulnerabilities at runtime art-534
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604
high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
crit Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools art-1328