Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1549: Analytic 1549

Adversary installs or abuses IDE extensions via CLI or direct write to profile directories and then communicates with marketplaces or remote tunnel services. Chain: auditd execve (code/idea/eclipse) with install/update flags or writes under ~/.vscode/extensions, ~/.config/JetBrains → outbound flows to *.visualstudio.com, marketplace.visualstudio.com, *.jetbrains.com, githubusercontent.com, or SSH/WebSocket tunnel endpoints → optional ssh/node processes spawned by IDE.

EnterpriseAN1549AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting suspicious use or installation of IDE extensions on Linux, especially when command-line IDE activity or direct writes to developer profile directories are followed by outbound connections to extension marketplaces, code-hosting content, or tunnel-like services. For leaders, the business issue is developer workstation trust: IDEs often sit close to source code, credentials, build systems, and cloud access, so extension activity deserves security visibility even when it looks like normal engineering work.

Executive priority

Prioritize this as a developer endpoint and software supply-chain monitoring question. Security leaders should ask whether Linux developer workstations generate usable audit and network evidence, whether SOC teams can distinguish expected extension updates from unusual extension installation paths, and whether incident responders can quickly determine if an IDE spawned unexpected ssh or node processes. This supports operational resilience, identity/cloud access protection, and audit evidence around controls for engineering environments.

Technical view

For Linux platforms, validate coverage for auditd execve events involving IDE processes such as code, idea, or eclipse using install or update-style flags; file activity under user IDE extension/profile paths such as ~/.vscode/extensions and ~/.config/JetBrains; outbound flows to marketplace.visualstudio.com, *.visualstudio.com, *.jetbrains.com, githubusercontent.com, and SSH/WebSocket tunnel endpoints; and child processes such as ssh or node spawned by the IDE. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic for suspicious chained behavior rather than a complete technique-level detection model.

Likely telemetry

  • Linux auditd execve process execution events
  • Command-line arguments for IDE processes such as code, idea, and eclipse
  • File write/create activity in user IDE extension and configuration directories
  • Network flow, DNS, proxy, or firewall records for IDE-related outbound connections
  • Parent-child process telemetry showing IDE-spawned ssh or node processes

Detection direction

  • Correlate process execution, file writes, and outbound network activity rather than alerting on any single IDE extension update in isolation.
  • Baseline normal developer extension installation and update behavior to reduce false positives from legitimate marketplace usage.
  • Tune for unusual direct writes to IDE profile or extension directories, unexpected install/update flags, or IDE activity occurring under uncommon users or hosts.
  • Review outbound connections to listed marketplace and content domains in context, while treating tunnel-like SSH or WebSocket endpoints as higher-priority follow-up signals.
  • Validate blind spots on Linux endpoints where auditd, command-line capture, file monitoring, DNS/proxy logs, or parent-child process telemetry are incomplete.

Mitigation priorities

  • Ensure Linux developer endpoints have audit and network logging sufficient to reconstruct IDE extension installation and follow-on communications.
  • Define acceptable IDE extension sources and update practices for engineering environments.
  • Restrict or review unnecessary outbound tunnel behavior from developer workstations where business operations allow.
  • Use least-privilege and credential hygiene for developer systems because IDEs may have access to source code, tokens, or cloud tooling.
  • Prepare IR triage procedures for suspicious IDE extension activity, including collection of process history, extension directory contents, and related network destinations.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a full technique entry. Its value is in the described chain: IDE execution or extension-directory writes, followed by marketplace or tunnel-related network activity, with optional IDE-spawned ssh or node processes. Glexia would use this to test whether developer endpoint monitoring can connect those signals into an investigation-ready story.

Official detection text, tactics, labels, aliases, and relationship context were not supplied. The object only supports Linux-specific guidance. Local environment baselines are required to separate legitimate developer extension management from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 1549

Adversary installs or abuses IDE extensions via CLI or direct write to profile directories and then communicates with marketplaces or remote tunnel services. Chain: auditd execve (code/idea/eclipse) with install/update flags or writes under ~/.vscode/extensions, ~/.config/JetBrains → outbound flows to *.visualstudio.com, marketplace.visualstudio.com, *.jetbrains.com, githubusercontent.com, or SSH/WebSocket tunnel endpoints → optional ssh/node processes spawned by IDE.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
175a2c857d421213...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 175a2c857d42…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1549
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use