Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1550: Analytic 1550

Adversary adds IDE extensions or plugins (VS Code, JetBrains Toolbox/EAP, Eclipse) via GUI or CLI, possibly via managed profiles. Chain: process start with install/update flags → plist/extension folder changes under ~/Library/Application Support/Code or ~/Library/Application Support/JetBrains → outbound connections to marketplaces/tunnel services → optional helper (ssh/node) spawned.

EnterpriseAN1550AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on macOS developer workstations where an adversary may add IDE extensions or plugins through GUI, CLI, or managed profiles. The business significance is that developer tooling often has access to source code, credentials, build systems, and cloud workflows, so unexpected IDE extension activity can become an early warning signal for software supply chain, identity, and incident response risk.

Executive priority

Treat this as a control-validation item for organizations with macOS engineering fleets. Leaders should ask whether endpoint, network, and device-management telemetry can show who installed IDE plugins, when extension directories or plists changed, and whether the IDE then made unusual outbound connections or spawned helper processes such as ssh or node. This supports incident triage, audit evidence for developer endpoint governance, and prioritization of controls around software development environments.

Technical view

For SOC and detection teams, validate coverage on macOS for process starts involving IDE install or update behavior, file and plist changes under user IDE paths such as ~/Library/Application Support/Code and ~/Library/Application Support/JetBrains, outbound connections to extension marketplaces or tunnel services, and child/helper processes spawned by IDEs. Because the official object provides no standalone detection logic and no ATT&CK relationship context, this should be implemented as behavior correlation rather than a single high-confidence alert.

Likely telemetry

  • macOS endpoint process creation events for IDEs and related CLI tooling
  • Command-line arguments showing install or update flags where available
  • File and directory monitoring for IDE extension/plugin paths under user Library Application Support locations
  • macOS plist or managed profile change records related to IDE configuration
  • Network connection logs from IDE processes to extension marketplaces or tunnel services

Detection direction

  • Correlate process execution, extension directory or plist changes, and outbound network activity rather than alerting on any one event in isolation.
  • Baseline expected developer IDE extension installation and update patterns to reduce false positives from normal engineering activity.
  • Pay attention to IDE-spawned helper processes, especially ssh or node, when they occur shortly after plugin installation or update activity.
  • Validate whether telemetry captures user context, parent process, command-line arguments, file path, and network destination; gaps in any of these fields will reduce analytic value.
  • Separate approved enterprise-managed profile changes from user-initiated or unexpected plugin changes where device-management data is available.

Mitigation priorities

  • Inventory approved IDEs and expected extension/plugin sources for macOS developer systems.
  • Use device management and configuration governance to control or document managed IDE profiles where feasible.
  • Restrict or review unapproved extension sources and unexpected outbound connectivity from IDE processes based on organizational policy.
  • Ensure endpoint logging covers process, file, plist/profile, and network activity on developer workstations.
  • Include IDE extension changes in incident response playbooks for suspected developer endpoint or software supply chain compromise.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS and describes a behavioral chain involving IDE plugin installation, local configuration changes, outbound connections, and optional helper process execution. No tactics, relationships, aliases, or official detection text were supplied, so this take frames practical validation steps without mapping to additional ATT&CK techniques or asserting coverage.

This assessment is limited to the provided official STIX fields, external reference, and the object description. It does not establish active exploitation, attacker attribution, prevalence, impact, or guaranteed detectability. Local IDE usage patterns, endpoint logging quality, device-management practices, and network visibility are required to determine operational priority and alert fidelity.

Official MITRE ATT&CK definition

Analytic 1550

Adversary adds IDE extensions or plugins (VS Code, JetBrains Toolbox/EAP, Eclipse) via GUI or CLI, possibly via managed profiles. Chain: process start with install/update flags → plist/extension folder changes under ~/Library/Application Support/Code or ~/Library/Application Support/JetBrains → outbound connections to marketplaces/tunnel services → optional helper (ssh/node) spawned.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f7c83307ce74da5e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f7c83307ce74…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1550
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use