216.73.217.64

T1204.005: Malicious Library

View on MITRE ATT&CK The MITRE Corporation · Published 22/05/2025 21:50 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1204.005
Confidence
100/100
Revoked
No
Published
22/05/2025 21:50
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Platforms

windows macos linux

Description

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023) In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.

Kill chain phases

Kill chainPhase
mitre-attack execution

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references