title: Compromise Software Dependencies and Development Tools (T1195.001)
id: df00tech-t1195-001
status: experimental
description: "Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries."
references:
  - https://attack.mitre.org/techniques/T1195/001/
  - https://df00tech.com/detections/T1195.001
author: df00tech
date: 2026/04/18
tags:
  - attack.t1195.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate npm packages with postinstall scripts that compile native binaries (node-gyp, esbuild, sharp) — these frequently spawn cmd.exe or bash"
  - "Developer tools that legitimately use non-standard registries (Artifactory, Nexus, Azure Artifacts, private npm mirrors) for corporate package management"
  - "CI/CD automation committing workflow file updates as part of normal GitOps or automated dependency update PRs (Dependabot, Renovate)"
  - "Python packages with C extensions running compiler toolchains (gcc, cl.exe, link.exe) via setup.py during installation"
  - "Security scanning tools (Snyk, FOSSA, Trivy) that inspect packages and may trigger file access patterns"
level: high