Adversary manipulates dependencies/dev tools used by developers or CI: a package manager (npm/yarn/pnpm, pip/pipenv, nuget/dotnet, chocolatey/winget, maven/gradle) or a compiler/IDE downloads or restores content; files are written under project paths and execution paths (node_modules, packages, .nuget, .gradle, .m2, %AppData%\npm, %UserProfile%.cargo\bin, temp build dirs). First run of newly written components triggers scripts (preinstall/postinstall), shell/PowerShell spawning, or loader DLLs, followed by network egress to non-approved registries/CDNs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Metadata (DC0059) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Invalid/Unsigned image when developer tool launches newly installed binaries |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time outbound connections to package registries or unknown hosts immediately after restore/build |
| Field | Description |
|---|---|
| TimeWindow | Correlate file write by package manager to first execution and egress (default 90 minutes). |
| ApprovedRegistries | Allow-listed registries (e.g., registry.npmjs.org, pypi.org, nuget.org, maven.apache.org, company proxies/CDNs). |
| DevHosts | Limit analytics to engineering endpoints/CI agents to reduce noise. |
| TrustedPublishers | Code-signing publishers acceptable for dev tools. |
Developer or CI invokes package managers/compilers (apt/yum + build-essential, npm/yarn/pnpm, pip/pip3, gem, cargo, go, maven/gradle). These write executable or script files into PATH or project dirs and immediately execute embedded lifecycle hooks (preinstall/postinstall, setup.py, npm scripts) that spawn shells or curl/wget, followed by egress to unfamiliar registries or domains.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Process Modification (DC0020) | auditd:SYSCALL | rename, chmod |
| File Metadata (DC0059) | journald:package | dpkg/apt or yum/dnf transaction logs (install/update of build tools) |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time egress to new registries/CDNs post-install/build |
| Field | Description |
|---|---|
| ApprovedRepos | Allowed APT/YUM repos and GPG keys for build tools. |
| PathScope | Monitor /usr/local/bin, /usr/bin, /opt/*/bin, ~/.local/bin, node_modules/.bin, .venv/bin, .cargo/bin, .gradle, .m2. |
| TimeWindow | Default 90 minutes for write→exec→egress linkage. |
Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | softwareupdated/homebrew/install logs, pkginstalld events |
| Process Creation (DC0032) | macos:endpointsecurity | exec |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time egress to non-approved registries after dependency install |
| Field | Description |
|---|---|
| AllowedTeamIDs | Apple Developer Team IDs for approved dev tools (Xcode, JetBrains, etc.). |
| BrewTapsAllowList | Homebrew taps allowed in your environment. |
| TimeWindow | Default 90 minutes. |