Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0009: Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)

This detection strategy is about spotting possible tampering in software dependencies or development tools by correlating dependency-manager activity, pack...

EnterpriseDET0009Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about spotting possible tampering in software dependencies or development tools by correlating dependency-manager activity, package writes or installs, first execution, and outbound network behavior. For leaders, the value is not just detecting malware; it is protecting the software supply chain that can become an initial access path into Linux, macOS, and Windows environments when trusted dependencies are manipulated before use.

Executive priority

Prioritize this where software development, build pipelines, endpoint engineering, or third-party package consumption are business-critical. The key decision is whether the organization can prove what dependencies and dev tools were installed, where they first ran, and whether they initiated unexpected egress. This supports incident triage, software integrity assurance, audit evidence, and risk decisions around dependency governance and initial-access exposure.

Technical view

ATT&CK links this detection strategy to T1195.001, Compromise Software Dependencies and Development Tools, under initial access. SOC, IR, and detection teams should validate whether they can correlate the sequence implied by the strategy name: dependency manager activity, file/package write or install events, first-run process execution, and network egress. Because the detection object has no official detection text or native platform list, platform assumptions should be anchored to the related technique: Linux, macOS, and Windows.

Likely telemetry

  • Dependency or package manager activity logs where available
  • Package install, update, or write events on developer workstations, build hosts, and servers
  • File creation or modification telemetry for dependency, tool, or package directories
  • Process execution telemetry showing first execution of newly installed dependencies or development tools
  • Network connection or proxy/DNS telemetry showing outbound egress soon after install or first run

Detection direction

  • Validate correlation across install/write, first-run execution, and egress rather than relying on any single event type.
  • Tune for developer and build environments where legitimate package installs are frequent; false positives are likely without baselines for expected tools, registries, and destinations.
  • Look for newly received dependencies or dev tools that execute unexpectedly or initiate outbound connections soon after installation.
  • Confirm coverage on Linux, macOS, and Windows only to the extent required by environments consuming dependencies or development tools.
  • Use the relationship to T1195.001 as context for initial-access triage, especially when activity involves externally sourced dependencies.

Mitigation priorities

  • Establish an inventory of software dependencies, development tools, and systems that install or build from them.
  • Prioritize logging and retention for dependency managers, build systems, endpoint process execution, file writes, and network egress.
  • Restrict and review where dependencies may be retrieved from and which systems may perform installs or builds.
  • Baseline expected dependency install behavior and approved outbound destinations for developer and build environments.
  • Prepare incident response playbooks for isolating affected build or developer systems and tracing dependency receipt, installation, first execution, and downstream use.
Analyst notes and limits

The ATT&CK object is a detection strategy, not a technique, and it detects T1195.001. The official object name provides the main analytic sequence: manager to write/install to first run to egress. The related technique describes adversary manipulation of software dependencies and development tools prior to receipt by a final consumer, including dependency ecosystems such as pip and NPM as examples in the supplied text.

The supplied detection strategy has no official description, no official detection text, no tactics, and no platforms listed directly. Recommendations therefore rely on the object name and its relationship to T1195.001. Local architecture, dependency sources, build tooling, endpoint telemetry, and network logging must be reviewed before claiming detection coverage.

Official MITRE ATT&CK definition

Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1195.001 Compromise Software Dependencies and Development Tools Sub-technique This object detects Compromise Software Dependencies and Development Tools.
Relationship explorer

All related ATT&CK context

detects · Technique T1195.001: Compromise Software Dependencies and Development Tools Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d64c2c78be7c1f47...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d64c2c78be7c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0009
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use