Detect Compromise Software Dependencies and Development Tools in CrowdStrike LogScale
Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.001 Compromise Software Dependencies and Development Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1195/001/
LogScale Detection Query
// T1195.001 — Supply Chain Compromise: Package Manager Hook Abuse + CI/CD Poisoning
// Arm 1: Package manager spawning suspicious child processes (postinstall/preinstall hook abuse)
#event_simpleName=ProcessRollup2
| test(
(
ParentBaseFileName = /^(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|pipx\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe|nuget\.exe|dotnet\.exe)$/i
or ParentCommandLine = /(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)/i
)
and
(
FileName = /^(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)$/i
or CommandLine = /(\/dev\/tcp|base64 -d|base64 --decode|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|DownloadString|DownloadFile|Invoke-Expression|IEX\(|curl http|wget http|--registry http)/i
)
)
| eval(
DetectionArm="PackageManagerSpawnedSuspiciousChild",
RiskScore=if(
FileName = /^(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/i
and CommandLine = /(DownloadString|DownloadFile|Invoke-Expression|IEX\(|base64 -d)/i,
"critical",
if(FileName = /^(certutil\.exe|bitsadmin\.exe|rundll32\.exe|regsvr32\.exe)$/i, "high", "medium")
)
)
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionArm, RiskScore])
// ─── Arm 2: Package manager unexpected external network connections (run as separate query) ───
// #event_simpleName=NetworkConnectIP4
// | test(
// FileName = /^(node\.exe|npm\.cmd|pip\.exe|pip3\.exe|python\.exe|python3\.exe|yarn\.exe|pnpm\.exe|gem\.exe|cargo\.exe|go\.exe)$/i
// and not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
// and not DomainName = /(registry\.npmjs\.org|pypi\.org|files\.pythonhosted\.org|rubygems\.org|crates\.io|nuget\.org|pkg\.go\.dev|proxy\.golang\.org|yarnpkg\.com|registry\.yarnpkg\.com)/i
// )
// | eval(DetectionArm="PackageManagerUnexpectedExternalConnection")
// | table([@timestamp, ComputerName, UserName, FileName, RemoteAddressIP4, DomainName, RemotePort, DetectionArm])
// ─── Arm 3: CI/CD pipeline file write events (requires Falcon FileVantage or custom IOA) ───
// #event_simpleName=PeFileWritten OR #event_simpleName=ScriptFileWritten
// | test(
// TargetFileName = /(\.github\/workflows|\.gitlab-ci|Jenkinsfile|\.circleci|\.travis|azure-pipelines)/i
// or TargetFileName = /(Makefile|CMakeLists\.txt|build\.gradle|pom\.xml)$/i
// )
// | eval(DetectionArm="CICDPipelineFileModified")
// | table([@timestamp, ComputerName, UserName, TargetFileName, DetectionArm])CrowdStrike Falcon LogScale (CQL) detection for T1195.001 supply chain compromise. Primary arm (ProcessRollup2): correlates Falcon process telemetry to detect package manager processes (npm, pip, yarn, gem, cargo, dotnet, go) or lifecycle hook command patterns spawning suspicious OS-level child processes — key indicator of malicious npm/PyPI/RubyGems packages executing arbitrary commands via postinstall/preinstall hooks at install time. Assigns a tiered risk score (critical/high/medium) based on child process type and command line content. Secondary arm (NetworkConnectIP4, run separately): identifies package manager processes making outbound connections to destinations outside known-good public registries. Tertiary arm (PeFileWritten/ScriptFileWritten with FileVantage, run separately): detects CI/CD pipeline configuration file writes targeting GitHub Actions, GitLab CI, Jenkinsfile, and Azure Pipelines. Arm 1 is the highest-fidelity signal with minimal false positive surface.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate native module compilation via node-gyp during npm install triggers node.exe spawning cmd.exe to run C/C++ compilers (cl.exe, gcc, make) — common in packages like bcrypt, canvas, sharp, sqlite3 on developer workstations with Visual Studio Build Tools or MinGW; add known developer endpoint ComputerName values or exclude CommandLine patterns matching known compiler binaries as grandchildren
- Corporate software development environments where Python-based build systems (SCons, waf) or Rust build scripts (build.rs) invoke shell commands as part of standard compilation will generate Arm 1 hits from cargo.exe or python.exe spawning sh/bash on Linux build agents — filter by known CI build agent ComputerName
- Authorized automated pipeline maintenance where GitHub Actions bots, Dependabot, or Renovate commit updated workflow YAML or Dockerfile content generates Arm 3 alerts — validate against known automation service account UserName values and scheduled change windows
Other platforms for T1195.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated Malicious npm postinstall Hook
Expected signal: Sysmon Event ID 1: npm.cmd spawning cmd.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: file creation at %TEMP%\argus-npm-test.txt. DeviceProcessEvents: InitiatingProcessFileName=npm.cmd, FileName=cmd.exe.
- Test 2Malicious pip setup.py Simulating Credential Exfiltration Pattern
Expected signal: Sysmon for Linux (or auditd): process creation with ParentProcess=python3/pip, ChildProcess=id or sh. Auditd syscall execve with ppid of pip process. Syslog: process accounting entry for 'id' with parent pip.
- Test 3Simulated GitHub Actions Workflow Poisoning
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename ending in .github\workflows\ci.yml, InitiatingProcessFileName=cmd.exe. DeviceFileEvents: FileName=ci.yml, FolderPath contains .github/workflows, ActionType=FileCreated.
- Test 4npm Package Install from Non-Standard Registry (Registry Confusion)
Expected signal: Sysmon EventCode=3 (Network Connection): Image=node, DestinationIp=127.0.0.1, DestinationPort=4873, DestinationHostname not in standard registry allowlist. DeviceNetworkEvents: InitiatingProcessFileName=node, RemotePort=4873.
References (12)
- https://attack.mitre.org/techniques/T1195/001/
- https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/
- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
- https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://hackread.com/backdoors-python-npm-packages-windows-linux/
- https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack
- https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
- https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.001/T1195.001.md
Unlock Pro Content
Get the full detection package for T1195.001 including response playbook, investigation guide, and atomic red team tests.