IR-009supply-chainv1.0.0

Software Supply Chain Compromise

⚠️ critical

⏱ Est. Time120m

📋 Steps11 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution480m

★ View on GitHub

🎯 MITRE ATT&CK

T1195.001 T1195.002 T1554 T1059.001 T1059.004 T1105 T1071.001 T1068

🔧 Tools Required

siemedrsca toolci cd platformartifact registry

⚡ Triggers

security_advisory_for_used_dependencysiem_known_malicious_package_hashci_cd_anomalous_behavioredr_post_install_script_alertthreat_intel_feed_package_compromisedeveloper_reported_anomaly

🔌 Integrations

req

snyk

Software Composition Analysis — package vulnerability and malware detection

req

crowdstrike falcon

Endpoint detection of post-install script execution and C2 communication

opt

github advanced security

Dependency graph and secret scanning in source code

opt

jfrog xray

Artifact scanning in internal package registry

req

splunk

CI/CD pipeline log correlation and network telemetry

Click each step to expand the full procedure, automation hints, and expected outputs.

Identify the exact package, ecosystem (npm, PyPI, Go modules, Maven, NuGet, RubyGems), and affected version range. Obtain the security advisory (GitHub Advisory, NVD, OSV.dev, or vendor bulletin). Confirm the nature of the compromise: malicious code injected into legitimate package, typosquatting package, dependency confusion attack, or compromised package maintainer account. Understand what the malicious code does (data theft, RAT, cryptominer, backdoor, destructive payload).

⚡ Automation Hint

OSV.dev: GET https://api.osv.dev/v1/query {"package": {"name": "<pkg>", "ecosystem": "npm"}} GitHub Advisory: GET https://api.github.com/advisories?ghsaid=<id> Snyk: GET https://snyk.io/api/v1/test/npm/<package>/<version> npm audit: npm audit --json | jq '.vulnerabilities.<package>'

📤 Outputs

compromised_packageaffected_versionsmalicious_behaviorcve_or_ghsa_idcompromise_type