Detect Compromise Software Dependencies and Development Tools in Splunk
Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.001 Compromise Software Dependencies and Development Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1195/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval ParentCommandLineLower=lower(ParentCommandLine)
// Check if parent is a package manager
| eval IsPackageManager=if(
match(ParentImageLower, "(\\\\npm\.cmd$|\\\\npm\.exe$|\\\\node\.exe$|\\\\pip\.exe$|\\\\pip3\.exe$|\\\\python\.exe$|\\\\python3\.exe$|\\\\pipx\.exe$|\\\\yarn\.exe$|\\\\pnpm\.exe$|\\\\gem\.exe$|\\\\bundle\.exe$|\\\\cargo\.exe$|\\\\go\.exe$|\\\\nuget\.exe$|\\\\dotnet\.exe$)"),
1, 0)
// Check if child is a suspicious process
| eval IsSuspiciousChild=if(
match(ImageLower, "(\\\\powershell\.exe$|\\\\pwsh\.exe$|\\\\cmd\.exe$|\\\\wscript\.exe$|\\\\cscript\.exe$|\\\\mshta\.exe$|\\\\rundll32\.exe$|\\\\regsvr32\.exe$|\\\\certutil\.exe$|\\\\bitsadmin\.exe$|\\\\curl\.exe$|\\\\wget\.exe$)"),
1, 0)
// Check for suspicious command line content
| eval SuspiciousCommandLine=if(
match(CommandLineLower, "(/dev/tcp|base64 -d|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|downloadstring|downloadfile|invoke-expression|iex\\(|curl http|wget http|--registry http)"),
1, 0)
// Flag postinstall/preinstall hook indicators in parent command
| eval HookAbuse=if(
match(ParentCommandLineLower, "(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)"),
1, 0)
| eval DetectionArm=case(
IsPackageManager=1 AND IsSuspiciousChild=1, "PackageManagerSpawnedSuspiciousChild",
IsPackageManager=1 AND SuspiciousCommandLine=1, "PackageManagerSuspiciousCommandLine",
HookAbuse=1 AND IsSuspiciousChild=1, "LifecycleHookChildProcess",
true(), null())
| where DetectionArm IS NOT NULL
| eval RiskScore=IsPackageManager + IsSuspiciousChild + SuspiciousCommandLine + HookAbuse
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
DetectionArm, IsPackageManager, IsSuspiciousChild, SuspiciousCommandLine, HookAbuse, RiskScore
| sort - _timeDetects supply chain compromise via software dependency poisoning using Sysmon Event ID 1 (Process Creation). Evaluates parent-child process relationships to identify package managers (npm, pip, python, yarn, cargo, gem, dotnet, etc.) spawning suspicious OS-level processes indicative of malicious preinstall/postinstall lifecycle hook execution. Assigns a cumulative RiskScore across four detection dimensions: package manager parent, suspicious child process, malicious command line patterns, and lifecycle hook indicators. Higher RiskScore values indicate compound indicators requiring urgent triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- node-gyp compilation during native npm package installation spawning cmd.exe and compiler toolchain processes
- Corporate Artifactory or Nexus private registries appearing as non-standard registry connections
- Python packages with C extensions (numpy, scipy, cryptography) spawning gcc or cl.exe via setup.py
- Automated dependency update workflows (Dependabot, Renovate) modifying package.json or requirements.txt and triggering CI re-runs
- Security scanning integrations running pip audit or npm audit as part of build pipeline checks
Other platforms for T1195.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated Malicious npm postinstall Hook
Expected signal: Sysmon Event ID 1: npm.cmd spawning cmd.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: file creation at %TEMP%\argus-npm-test.txt. DeviceProcessEvents: InitiatingProcessFileName=npm.cmd, FileName=cmd.exe.
- Test 2Malicious pip setup.py Simulating Credential Exfiltration Pattern
Expected signal: Sysmon for Linux (or auditd): process creation with ParentProcess=python3/pip, ChildProcess=id or sh. Auditd syscall execve with ppid of pip process. Syslog: process accounting entry for 'id' with parent pip.
- Test 3Simulated GitHub Actions Workflow Poisoning
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename ending in .github\workflows\ci.yml, InitiatingProcessFileName=cmd.exe. DeviceFileEvents: FileName=ci.yml, FolderPath contains .github/workflows, ActionType=FileCreated.
- Test 4npm Package Install from Non-Standard Registry (Registry Confusion)
Expected signal: Sysmon EventCode=3 (Network Connection): Image=node, DestinationIp=127.0.0.1, DestinationPort=4873, DestinationHostname not in standard registry allowlist. DeviceNetworkEvents: InitiatingProcessFileName=node, RemotePort=4873.
References (12)
- https://attack.mitre.org/techniques/T1195/001/
- https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/
- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
- https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://hackread.com/backdoors-python-npm-packages-windows-linux/
- https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack
- https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
- https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.001/T1195.001.md
Unlock Pro Content
Get the full detection package for T1195.001 including response playbook, investigation guide, and atomic red team tests.