Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0023: Analytic 0023

Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components.

EnterpriseAN0023AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0023 is a macOS detection analytic focused on developer tooling activity: Homebrew, pip, npm/yarn, and Xcode builds installing dependencies that create new Mach-O binaries or scripts, followed by first-run behavior such as shell, osascript, curl, and outbound network activity. For security leaders, the value is not that developer tools are inherently suspicious, but that they are high-volume, trusted paths where risky or unauthorized code can appear quickly and blend into normal engineering work.

Executive priority

Prioritize this where macOS developer workstations support production software, privileged cloud access, CI/CD workflows, or sensitive intellectual property. The business question is whether the organization can distinguish expected dependency installation from new executable content that immediately launches interpreters, automation, download tools, or network connections. This analytic can support SOC readiness, software supply-chain risk management, endpoint logging validation, and audit evidence around control of developer endpoints.

Technical view

Validate visibility on macOS endpoints for dependency managers and build tools writing new Mach-O files or scripts under /usr/local, /opt/homebrew, ~/Library/Application Support, project directories such as node_modules/.bin, and virtual environment paths such as venv/bin. Since no official detection logic is supplied, teams should build environment-specific baselines for normal developer installs and then correlate first execution with child processes such as sh, zsh, osascript, or curl, outbound network flows, and any Gatekeeper or AMFI unsigned-component signals. Treat this as behavioral context rather than a standalone high-confidence alert.

Likely telemetry

  • macOS endpoint process creation events for Homebrew, pip, npm, yarn, Xcode build tools, shells, osascript, and curl
  • File creation or modification events for new Mach-O binaries and scripts in /usr/local, /opt/homebrew, ~/Library/Application Support, node_modules/.bin, and venv/bin
  • Parent-child process relationships showing first-run execution after dependency installation or build activity
  • Network connection telemetry for new outbound flows from newly installed or built components
  • macOS Gatekeeper and AMFI events related to unsigned or blocked components

Detection direction

  • Confirm that macOS EDR or logging captures both file writes and process lineage in developer-tool paths; process-only telemetry may miss the creation of risky components.
  • Tune against known developer workflows, package managers, build systems, and scheduled maintenance to reduce false positives from legitimate dependency updates.
  • Correlate multiple signals: new executable or script creation, first execution, shell or automation child process, download utility use, outbound network connection, and Gatekeeper/AMFI warnings.
  • Pay attention to architecture-specific Homebrew locations such as /usr/local and /opt/homebrew so Apple Silicon and Intel systems are both covered.
  • Avoid treating all package-manager activity as malicious; the material signal is unusual new executable content plus suspicious first-run behavior for the user, project, or host.

Mitigation priorities

  • Maintain managed configuration and security monitoring on macOS developer endpoints, especially systems with access to source code, production credentials, or cloud administration.
  • Reduce unnecessary privilege on developer workstations and enforce least-privilege access to sensitive repositories, build systems, and cloud resources.
  • Standardize approved developer tooling paths and update workflows so detections can distinguish expected package installation from unusual behavior.
  • Require endpoint controls and macOS security features that surface or enforce handling of unsigned components where operationally feasible.
  • Use dependency governance, code review, and vulnerability management processes to reduce exposure from unreviewed or unexpected packages.
Analyst notes and limits

The supplied object is a detection analytic for macOS only. It describes relevant behaviors and paths but does not provide official detection logic, mapped tactics, techniques, mitigations, or relationships. The strongest use is as a validation checklist for macOS developer endpoint visibility and correlation design.

This take is limited to the provided ATT&CK fields and external reference. It does not assert active exploitation, adversary attribution, impact, or existing detection coverage. Local baselines are required because developer package installation and build activity are common legitimate behavior.

Official MITRE ATT&CK definition

Analytic 0023

Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6230a7c33434ab3b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6230a7c33434…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0023
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use