MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Credential Access/ T1539

T1539Steal Web Session Cookie

T1539 — Steal Web Session Cookie is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 15 detection use cases covering it and 87 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

15Use cases

87Articles

0Sub-techniques

1Tactic

Use cases covering this technique (15)

Infostealer — non-browser process accessing browser cookie/login DBs Internal actions · alerting DSΣP [WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD [WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD Okta Suspicious Use of a Session Cookie ESCU actions · hunting P [LLM] Non-browser process fan-out reading SSH/npm/Docker/AWS/browser credential stores on Arch host Bespoke actions · hunting DSPDDCS [LLM] Atomic Arch infostealer — bulk reads of SSH/npmrc/Vault/browser-cookie files by non-shell process Bespoke actions · hunting DSPDDCS [LLM] GIFTEDCROOK browser credential and cookie theft — non-browser process reads Chromium/Firefox stores Bespoke actions · hunting DSΣPDDCS [LLM] Non-Chrome process modifies macOS Chrome Preferences (FlutterShell browser hijack) Bespoke actions · hunting DSΣPCS [LLM] Cyberhaven trojanized Chrome extension C2 callback to cyberhavenext.pro Bespoke c2 · alerting DSΣPDDCS [LLM] Burst credential-file harvest by VS Code / node process (Nx Console stealer behaviour) Bespoke actions · hunting DSPDDCS [LLM] Cyberhaven compromised Chrome extension C2 callback (cyberhavenext.pro) Bespoke c2 · hunting DSΣPDDCS [LLM] Mailcow login with HTML/JS injected into X-Real-IP header (GHSA-jprq-w83q-q62h) Bespoke delivery · alerting SPDD [LLM] Hoppscotch device-login open redirect token theft via localhost.* / sslip.io bypass Bespoke exploit · alerting DSΣPDDCS [LLM] Non-browser process copying Chrome/Edge/Brave Login Data, Web Data, or wallet extension LevelDB state Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (87)

med 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic art-04

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27

high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36

high npm v12 delivers one of the biggest security improvements in years art-46

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

crit Compromised Rust crate onering performs code exfiltration art-66

crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86

crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102

crit [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPT art-125

crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143

crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150

high What MDM can't protect on developer machines (and what to do about it) art-186

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187

high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194

high Why developer machines are now the number one target for supply chain attacks art-208

crit Laravel Lang Supply Chain Advisory art-211

high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

high Dev Machine Guard Now Supports Linux art-234

crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236

crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237

high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238

high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254

crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267

crit IT threat evolution in Q1 2026. Mobile statistics art-278

high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281

high The time of much patching is coming art-296

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312

crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks art-331

high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334

crit CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister art-336

high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339

crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345

high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346

high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348

high It's time to treat browser extensions like supply chain attack vectors art-354

high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361

high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367

high Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow art-379

high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395

crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401

high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403

high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405

high Aikido Attack finds multiple 0-days in Hoppscotch art-406

high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412

high axios compromised on npm: maintainer account hijacked, RAT deployed art-421

crit litellm: Credential Stealer Hidden in PyPI Wheel art-423

crit Popular telnyx package compromised on PyPI by TeamPCP art-425

high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428

high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430

crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444

high TeamPCP deploys CanisterWorm on NPM following Trivy compromise art-445

crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458

crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459

high Glassworm Strikes Popular React Native Phone Number Packages art-466

crit Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories art-468

crit How SMBs use threat research and MDR to build a defensive edge art-486

crit Protecting education: How MDR can tip the balance in favor of schools art-491

crit Persistent XSS/RCE using WebSockets in Storybook’s dev server art-494

high Astro Full-Read SSRF via Host Header Injection art-510

crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518

high From detection to prevention: How Zen stops IDOR vulnerabilities at runtime art-534

high npm backdoor lets hackers hijack gambling outcomes art-535

high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

high npx Confusion: Packages That Forgot to Claim Their Own Name art-578

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604

high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605

crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608

crit ESET Threat Report H2 2025 art-647

crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736

crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778

high npm Supply Chain Attack via Open Source maintainer compromise art-794

high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806

high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842

high Lottie Player npm package compromised for crypto wallet theft art-1096

crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218

crit Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools art-1328

high XS leaks: What they are and how to avoid them art-1419