T1204.005: Malicious Library
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.[1][2]
In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., Compromise Software Dependencies and Development Tools). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.
Analyst context for executives and security teams
Malicious Library matters because normal developer or user activity—installing a package from a package manager or public repository—can become the execution path for adversary code. The business risk is not only malware on an endpoint; it is trust in the software supply chain, developer workstations, build environments, and open-source dependency intake across Linux, macOS, and Windows.
Executive priority
Prioritize this where employees, contractors, or developers can install packages from sources such as NPM, PyPI, or public code repositories without approval or monitoring. Leaders should ask whether software installation rights, dependency governance, user training, and network prevention controls are sufficient to produce audit-ready evidence and support fast incident decisions when a suspicious package is found.
Technical view
This is an execution sub-technique under User Execution. SOC, IR, and detection engineering teams should validate visibility into user-initiated library/package installation activity on Linux, macOS, and Windows, especially from package managers and public repositories. ATT&CK provides no official detection text for this object, but the related detection strategy DET0252 specifically covers user-initiated malicious library installation via package manager. Detection work should focus on correlating package installation events with process execution, network connections, file writes, persistence attempts, data access, or cryptocurrency-mining-like behavior where locally observable.
Likely telemetry
- Package manager install activity such as NPM or PyPI package installation logs where available
- Endpoint process creation and command-line telemetry tied to package manager or interpreter activity
- File creation and modification events in user, project, dependency, and library paths
- Network connections initiated during or shortly after package installation
- Endpoint security alerts for suspicious code execution, persistence, data theft, or mining behavior
Detection direction
- Use DET0252 as the starting point for package-manager-focused detections rather than relying on generic malware alerts alone.
- Baseline expected package installation behavior by role, especially for developers, build systems, and power users, to reduce false positives.
- Correlate install events with immediate execution and follow-on behaviors; the technique is about user-facilitated execution, not merely the presence of an unfamiliar package.
- Validate visibility across Linux, macOS, and Windows because the ATT&CK object lists all three platforms.
- Account for blind spots where package manager logs are not centralized, developers use personal environments, or endpoint telemetry does not capture command-line arguments and child processes.
Mitigation priorities
- Limit software installation privileges and enforce approved installation paths using the M1033 mitigation direction.
- Pair technical restrictions with user training under M1017 so users understand package-name spoofing, typosquatting risk, and reporting expectations for suspicious libraries.
- Use network intrusion prevention under M1031 where signatures or policy controls can block known malicious traffic at network boundaries.
- For higher-risk developer and build environments, require review of new dependencies and maintain evidence of authorized package sources and installation activity.
- Prepare IR playbooks for suspicious library discovery: identify affected hosts/projects, determine install source and time, review execution and network activity, and remove or block unauthorized packages.
Analyst notes and limits
The supplied ATT&CK description highlights malicious packages uploaded to package managers such as NPM and PyPI, public repositories such as GitHub, compromised/backdoored popular libraries, and newly created packages using typosquatting. The object is a new enterprise ATT&CK sub-technique in version 19.1 and is scoped to execution on Linux, macOS, and Windows.
Official ATT&CK detection guidance is not provided for this object. Telemetry and control recommendations are therefore derived from the object description, listed platforms and tactic, and supplied relationships to DET0252, M1017, M1031, and M1033. Local package ecosystems, developer workflows, logging coverage, and software approval processes are required to assess real exposure or detection quality.
Malicious Library
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.[1][2]
In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., Compromise Software Dependencies and Development Tools). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204 | User Execution | This object subtechnique of User Execution. |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 982596ea33ee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Datadog Security Labs Malicious PyPi Packages 2024
Sebastian Obregoso and Christophe Tafani-Dereeper. (2024, May 23). Malicious PyPI packages targeting highly specific MacOS machines. Retrieved May 22, 2025.
Open source URL -
[2]
Fortinet Malicious NPM Packages 2023
Jin Lee and Jenna Wang. (2023, October 2). Malicious Packages Hidden in NPM. Retrieved May 22, 2025.
Open source URL -
[3]
mitre-attack T1204.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.