Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Credential Access/ T1555.003

T1555.003Credentials from Web Browsers

T1555.003 — Credentials from Web Browsers is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 17 detection use cases covering it and 125 threat-intel articles citing it.

Credential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
17Use cases
125Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1555 · Credentials from Password Stores

Use cases covering this technique (17)

Infostealer — non-browser process accessing browser cookie/login DBs Internal actions · alerting DSΣP [WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD [WEEKLY] Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Internal install · alerting DSPDDCSCW [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD [WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules Internal install · alerting DSΣPDD [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Internal install · alerting DSPDD [WEEKLY] Supply-chain repo credential theft → outbound exfil to attacker infra Internal actions · alerting DSPDD Non Chrome Process Accessing Chrome Default Dir ESCU actions · hunting P Non Firefox Process Access Firefox Profile Dir ESCU actions · hunting P Possible Browser Pass View Parameter ESCU actions · hunting P Windows Credentials from Password Stores Chrome Copied in TEMP Dir ESCU actions · alerting P Windows Credentials from Web Browsers Saved in TEMP Folder ESCU actions · alerting P [LLM] Non-browser process fan-out reading SSH/npm/Docker/AWS/browser credential stores on Arch host Bespoke actions · hunting DSPDDCS [LLM] GIFTEDCROOK browser credential and cookie theft — non-browser process reads Chromium/Firefox stores Bespoke actions · hunting DSΣPDDCS [LLM] Non-browser process copying Chrome/Edge/Brave Login Data, Web Data, or wallet extension LevelDB state Bespoke actions · alerting DSΣPDDCS [LLM] MuddyWater CE-Notes / LP-Notes / Blub stealer staging-file writes Bespoke actions · alerting DSΣPDDCS [LLM] Non-browser process reading Chrome/Edge/Opera Login Data or Local State Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (125)

med 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic art-04
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25
crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs art-36
high npm v12 delivers one of the biggest security improvements in years art-46
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
crit Compromised Rust crate onering performs code exfiltration art-66
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System art-85
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
crit [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPT art-125
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
crit The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) art-143
high Nx Console VS Code Extension Compromised art-146
crit Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor art-150
crit Containers on fire: from container escapes to supply chain attacks art-158
high Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages art-159
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
high Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens art-194
high Why developer machines are now the number one target for supply chain attacks art-208
crit Laravel Lang Supply Chain Advisory art-211
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
crit 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough art-230
high Dev Machine Guard Now Supports Linux art-234
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit Tracking TamperedChef Clusters via Certificate and Code Reuse art-237
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
crit IT threat evolution in Q1 2026. Mobile statistics art-278
high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
high The time of much patching is coming art-296
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack art-318
crit Security metamorphosis: a Mythos-ready architecture checklist for autonomous AI attacks art-331
crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333
high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334
crit Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools art-335
crit CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister art-336
high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343
crit Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer art-345
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
high It's time to treat browser extensions like supply chain attack vectors art-354
high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm art-361
high GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays art-367
high Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow art-379
high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395
crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400
crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401
high hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far art-403
high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405
high Aikido Attack finds multiple 0-days in Hoppscotch art-406
high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412
crit TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package art-413
high axios compromised on npm: maintainer account hijacked, RAT deployed art-421
crit litellm: Credential Stealer Hidden in PyPI Wheel art-423
crit Popular telnyx package compromised on PyPI by TeamPCP art-425
high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428
high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high TeamPCP deploys CanisterWorm on NPM following Trivy compromise art-445
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459
high Glassworm Strikes Popular React Native Phone Number Packages art-466
crit Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories art-468
crit Sednit reloaded: Back in the trenches art-477
crit How SMBs use threat research and MDR to build a defensive edge art-486
crit Protecting education: How MDR can tip the balance in favor of schools art-491
crit Persistent XSS/RCE using WebSockets in Storybook’s dev server art-494
high Astro Full-Read SSRF via Host Header Injection art-510
crit SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel art-518
high From detection to prevention: How Zen stops IDOR vulnerabilities at runtime art-534
high npm backdoor lets hackers hijack gambling outcomes art-535
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets art-604
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT art-608
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
crit ESET Threat Report H2 2025 art-647
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
med MuddyWater: Snakes by the riverbank art-676
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware art-778
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842
high Ultralytics AI Pwn Request Supply Chain Attack art-1055
high Lottie Player npm package compromised for crypto wallet theft art-1096
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
crit Exploring WebExtension security vulnerabilities in React Developer Tools and Vue.js devtools art-1328
high XS leaks: What they are and how to avoid them art-1419