T1195.002: T1195.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/03/2020 15:17 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1195.002
Confidence: 100/100
Revoked: No
Published: 11/03/2020 15:17
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Compromise Software Supply Chain

Platforms

windows macos linux

Description

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)

Kill chain phases

Kill chain	Phase
mitre-attack	initial-access

Marking (TLP)

External references

Avast CCleaner3 2018
mitre-attack (T1195.002)
Command Five SK 2011

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (29)

APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1069 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Moonstone Sleet uses Storm-1789

The MITRE Corporation Confidence 100

[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032),…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fox Tempest uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Curse uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
vpmdhaj uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Funnull related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomRaven related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 29

transformers.pyz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OtterCookie uses

Family
V2deck uses

Family
WAVESHAPER uses
OctoRAT uses

Family
Qilin uses

Family
DOMOAuth2_ uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vidar uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
plain-crypto-js uses

Family
BeaverTail uses

Family
RAT uses

Family
Mini Shai Hulud uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 74

From PostCSS Masquerading to Windows RAT related

AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
Artifact scanner detects npm package 'node-fetch-utils' using external … related

AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
Okendo Reviews Supply Chain Attack related

AlienVault Confidence 100 18 MITREs 5 Malwares 3 IOCs 3 Observables 1 APT
From package to postinstall payload: Inside the Mastra … related

AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
140+ npm Packages Compromised in Coordinated Supply Chain … related

AlienVault Confidence 100 20 MITREs 1 Malware 9 IOCs 9 Observables
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Preinstall to persistence: Inside the npm Miasma credential-stealing … related

AlienVault Confidence 100 20 MITREs 6 IOCs 6 Observables
Malicious npm packages abuse dependency confusion to profile … related

20 MITREs 7 Observables
Typosquatted npm packages used to steal cloud and … related

20 MITREs 4 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (6)

CVE-2023-45311 targets

CVE-2023-0669 KEV targets

7.2 High

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled …

Attack vector: Network
Published: 10/02/2023
Modified: 21/12/2025

CVE-2024-21338 KEV targets

7.8 High

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …

Attack vector: Local
Published: 04/03/2024
Modified: 21/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

Attack patterns (MITRE) (1)

T1195 subtechnique-of

Supply Chain Compromise MITRE

Course Of Action (2)

Update Software mitigates
Vulnerability Scanning mitigates

Campaign (2)

3CX Supply Chain Attack uses
SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use