Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0698: Analytic 0698

User-initiated installation of Python (pip), NodeJS (npm), or other language libraries, followed by unexpected network connections, credential access, or startup file modifications. Defender sees `pip install` or `npm install` commands run by a non-root user, followed shortly by new `.py`, `.sh`, or `.js` files in hidden directories, or interpreter-based execution during boot/login.

EnterpriseAN0698AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because developer and scripting package managers can become an unmonitored path from normal user activity to persistence, credential exposure, or unauthorized outbound connections on Linux systems. For leaders, the decision point is whether endpoint and SOC coverage can distinguish routine package installation from package-driven execution that changes hidden files, startup behavior, or network activity shortly afterward.

Executive priority

Prioritize this as a Linux endpoint and developer-workstation visibility question. If non-root users can install Python, NodeJS, or similar libraries without monitoring, the organization may lack evidence needed for incident scoping, audit support, and containment decisions when suspicious interpreter activity follows. Security leaders should ask which Linux systems allow user-level package installation, whether those events are logged, and whether SOC playbooks correlate package install activity with follow-on network, credential, or startup-file changes.

Technical view

Validate whether Linux telemetry can identify non-root `pip install`, `npm install`, or similar language-library installation commands and correlate them with short-window follow-on activity: creation of new `.py`, `.sh`, or `.js` files in hidden directories; unexpected network connections; credential-access indicators; or interpreter execution during boot or login. Because the ATT&CK object does not specify tactics or a formal detection rule, teams should treat this as a correlation analytic requiring local baselining of legitimate developer, CI, administrator, and user software-installation behavior.

Likely telemetry

  • Linux process execution telemetry showing command line, user context, parent process, and interpreter/package-manager invocation
  • File creation and modification telemetry for hidden directories and startup/login-related locations
  • Network connection telemetry tied to process, user, host, destination, and timing
  • Authentication or credential-access-relevant logs where available
  • Boot, login, shell profile, service, or scheduled execution evidence involving Python, shell, or NodeJS interpreters

Detection direction

  • Correlate non-root package-manager execution with nearby file, network, credential, or startup/login activity rather than alerting on package installation alone.
  • Baseline legitimate `pip` and `npm` usage on developer workstations, build systems, and administrative Linux hosts to reduce false positives.
  • Tune for hidden-directory script creation and interpreter execution during boot or login, especially when temporally linked to a recent user-level install.
  • Confirm telemetry preserves command line and user identity; without those fields, the analytic may be difficult to validate.
  • Review blind spots around unmanaged Linux endpoints, ephemeral systems, local user home directories, and environments where endpoint logging excludes developer tooling.

Mitigation priorities

  • Inventory Linux systems where non-root users can install language libraries and identify which are business-critical or developer-facing.
  • Ensure endpoint logging captures process, file, network, and login/startup activity needed to reconstruct the sequence described by the analytic.
  • Apply least-privilege and software governance appropriate to the system role, without blocking legitimate development workflows unnecessarily.
  • Use change control or allowlisting expectations for production and sensitive Linux hosts where user-initiated package installs should be rare.
  • Prepare IR triage steps to collect recent package-manager commands, new hidden-directory scripts, interpreter executions, and related outbound connections.
Analyst notes and limits

This is a detection analytic for Linux focused on user-initiated language library installation followed by suspicious post-install behavior. No relationship context, tactics, or formal detection logic were supplied, so local telemetry quality and baselining determine practical value.

The supplied ATT&CK object provides a description but no official detection implementation, no tactics, and no relationships to techniques, groups, software, mitigations, or data sources. This take does not infer active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0698

User-initiated installation of Python (pip), NodeJS (npm), or other language libraries, followed by unexpected network connections, credential access, or startup file modifications. Defender sees `pip install` or `npm install` commands run by a non-root user, followed shortly by new `.py`, `.sh`, or `.js` files in hidden directories, or interpreter-based execution during boot/login.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a65ba1db968c971b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a65ba1db968c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0698
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use