T1195.002
Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)
Atomic Tests
Atomic Test #1 - Simulate npm package installation on a Linux system
Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
Supported Platforms: Containers, Linux
auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| image_name | Name of the image | string | node:18 |
| pod_name | Name of the pod | string | atomic-npm-install |
| package_name | NPM package to install | string | tinycolor |
Attack Commands: Run with bash!
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"Dependencies: Run with bash!
Description: kubectl must be installed and configured
Check Prereq Commands:
which kubectlGet Prereq Commands:
echo "kubectl must be installed"