T1546.016Installer Packages
T1546.016 — Installer Packages is a MITRE ATT&CK technique in the Privilege Escalation tactic. Clankerusecase tracks 27 detection use cases covering it and 18 threat-intel articles citing it.
Privilege EscalationPersistence
27Use cases
18Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1546 · Event Triggered Execution
Use cases covering this technique (27)
[WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes [WEEKLY] Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) [WEEKLY] npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) [WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules [WEEKLY] Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain [WEEKLY] Package-manager install hook spawns interpreter that beacons to non-registry host within 120s [WEEKLY] Package-manager install-time interpreter spawn with credential-file read and outbound egress within 120s [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes [LLM] Bun runtime spawned by npm/node preinstall hook (TeamPCP setup.mjs loader) [LLM] Bun runtime spawned via node→shell→bun chain from npm install (Miasma dropper) [LLM] Malicious @bitwarden/cli payload artifacts on disk (bw_setup.js, bw1.js, Shai-Hulud markers) [LLM] Malicious postinstall.js dropped under node_modules for actor scopes [LLM] npm/yarn/pnpm postinstall hook spawning credential-harvest tooling [LLM] Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency [LLM] npm preinstall hook executes 'node setup.mjs' / 'bun execution.js' (Mini Shai-Hulud SAP supply chain) [LLM] Mini Shai-Hulud npm preinstall chain: node setup.mjs → bun execution.js [LLM] Shai-Hulud 2.0 npm worm artifact: setup_bun.js / bun_environment.js dropped by node/npm [LLM] npm postinstall node setup.js dropper executing from plain-crypto-js with immediate network egress [LLM] npm/node postinstall hook spawning interpreter and reaching new C2 host (Axios-style dropper) [LLM] npm postinstall SSH-backdoor chain: node spawning sudo ufw allow 22/tcp + chown ~/.ssh [LLM] npm install referencing GitHub commit SHA (github:owner/repo#sha) — dangling-commit supply chain hunt [LLM] File creation under npx cache for Aikido-claimed phantom package names [LLM] Compromised Nx npm package version install on developer or CI host [LLM] SHA1-Hulud worm payload execution via npm preinstall (setup_bun.js / bun_environment.js) [LLM] Node/npm postinstall spawning AI coding agent CLI (s1ngularity execution chain) [LLM] macOS Text Replacements exfiltration via `defaults read NSUserDictionaryReplacementItems`Articles citing this technique (18)
crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348