MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Initial Access/ T1195.001

T1195.001Compromise Software Dependencies and Development Tools

T1195.001 — Compromise Software Dependencies and Development Tools is a MITRE ATT&CK technique in the Initial Access tactic. Clankerusecase tracks 25 detection use cases covering it and 18 threat-intel articles citing it.

Initial Access

View on the matrix → Filter Detection Library MITRE official spec ↗

25Use cases

18Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1195 · Supply Chain Compromise

Use cases covering this technique (25)

GitHub Dependabot Alert ESCU actions · hunting P GitHub Pull Request from Unknown User ESCU actions · hunting P [LLM] AUR helper or makepkg spawning npm/node to install atomic-lockfile or js-digest Bespoke install · alerting DSΣPDDCS [LLM] Miasma supply-chain worm leaked repo clone, install or fetch Bespoke delivery · alerting DSΣPDDCS [LLM] npm install lifecycle script spawns interpreter or network-fetcher child Bespoke install · alerting DSΣPDDCS [LLM] npm install with --allow-git / --allow-remote / --allow-scripts bypass flag Bespoke weapon · alerting DSΣPDDCS [LLM] npm install with --ignore-scripts=false or NPM_CONFIG_IGNORE_SCRIPTS override Bespoke weapon · alerting DSΣPDDCS [LLM] Vulnerable Baileys npm package present on disk (CVE-2026-48063) Bespoke weapon · hunting DSΣPDDCS [LLM] npm/yarn/pnpm install or upgrade of Baileys package Bespoke install · hunting DSΣPDDCS [LLM] github.com/dhax/go-base supply-chain footprint in go.mod / build artifacts Bespoke recon · hunting DSΣPDDCSCW [LLM] Cargo build script spawning git with onering's exfil --pretty=format JSON Bespoke actions · alerting DSΣPDDCS [LLM] Cargo dependency manifest or download pinned to compromised onering 1.4.1 Bespoke delivery · hunting DSPDDCS [LLM] Malicious _hooks.py / _runtime.bin files created in Pythagora gpt-pilot checkout Bespoke delivery · alerting DSΣPDDCS [LLM] Suspicious commit pattern: '[skip ci]' with backdated timestamp adding only IDE config files Bespoke delivery · hunting DSPDD [LLM] Vulnerable cordova-plugin-inappbrowser install on dev endpoint (CVE-2026-47430) Bespoke weapon · hunting DSΣPDDCS [LLM] Bright Data partner-app or brdsdk.framework present on managed iOS / mobile inventory Bespoke install · hunting DSP [LLM] Compromised Nx Console VS Code extension (nrwl.angular-console v18.94.0/18.95.0/18.100.0) install on endpoint Bespoke delivery · alerting DSΣPDDCS [LLM] DeepSeek-TUI spawning 'cargo test' — CVE-2026-45311 auto-approved run_tests pathway Bespoke exploit · hunting DSΣPDD [LLM] Shai-Hulud style repository poisoning — .claude/router_runtime.js drop Bespoke actions · alerting DSΣPDD [LLM] Compromised kubernetes.el destructive payload — Emacs spawning `rm -rf / --no-preserve-root` Bespoke actions · alerting DSΣPDD [LLM] Storybook WebSocket XSS/RCE — malicious .stories file written to src/stories (CVE-2026-27148) Bespoke install · alerting DSΣPDDCS [LLM] Storybook portable-stories RCE — vitest/node spawning shell, recon or secret-grep child (CVE-2026-27148) Bespoke exploit · alerting DSΣPDDCS [LLM] npm install referencing GitHub commit SHA (github:owner/repo#sha) — dangling-commit supply chain hunt Bespoke weapon · hunting DSΣPDDCS [LLM] SKILL.md file written referencing fabricated openclaw-core prerequisite (ClawHub skill social engineering hook) Bespoke weapon · hunting DSPDDCS [LLM] GhostAction malicious workflow file added with curl POST to Plesk infrastructure Bespoke install · alerting DSΣPDDCS

Articles citing this technique (18)

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55

crit [GHSA / CRITICAL] CVE-2026-48063: Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted pr art-57

crit [GHSA / CRITICAL] CVE-2026-48031: Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery art-64

crit Compromised Rust crate onering performs code exfiltration art-66

high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78

crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79

crit [GHSA / CRITICAL] CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from art-105

high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114

crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230

crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293

crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343

high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package art-475

crit Persistent XSS/RCE using WebSockets in Storybook’s dev server art-494

high How “Clinejection” Turned an AI Bot into a Supply Chain Attack art-521

crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564

high GhostAction Campaign: Over 3,000 Secrets Stolen Through Malicious GitHub Workflows art-785