Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1204.004

T1204.004Malicious Copy and Paste

T1204.004 — Malicious Copy and Paste is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 3 detection use cases covering it and 84 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
3Use cases
84Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1204 · User Execution

Use cases covering this technique (3)

Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal exploit · alerting DSΣP [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Internal delivery · alerting DSΣPDD

Articles citing this technique (84)

crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication art-09
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files art-42
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks art-55
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance art-59
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities art-61
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE art-62
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs art-67
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows art-71
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79
high Meta to Use Off-Site Business Data for Feed and AI Personalization art-81
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
high Securing CI/CD in an agentic world: Claude Code Github action case art-117
crit Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp art-127
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Multiple redhat-cloud-services npm Packages compromised art-144
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Active Supply Chain Attack: Malicious node-ipc Versions Published to npm art-269
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
crit What the ransom note won’t say art-370
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Sednit reloaded: Back in the trenches art-477
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
med Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan art-593
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit ESET Threat Report H2 2025 art-647
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
high SHA1-Hulud, npm supply chain incident art-686
crit Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages art-690
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
high npm Supply Chain Attack via Open Source maintainer compromise art-794
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
low AI Trust in Action: How Snyk Agent Redefines Secure Development art-885
med Securing GenAI Development with Snyk art-1035
high The persistent threat: Why major vulnerabilities like Log4Shell and Spring4Shell remain significant art-1165
high Building an npm package compatible with ESM and CJS in 2024 art-1258
high Exploiting HTTP/2 CONTINUATION frames for DoS attacks art-1265