1. Home
  2. Techniques
  3. Enterprise
  4. User Execution
  5. Malicious Library

User Execution: Malicious Library

ID Name
T1204.001 Malicious Link
T1204.002 Malicious File
T1204.003 Malicious Image
T1204.004 Malicious Copy and Paste
T1204.005 Malicious Library

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.[1][2]

In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., Compromise Software Dependencies and Development Tools). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.

ID: T1204.005
Sub-technique of:  T1204
Tactic: Execution
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 22 May 2025
Last Modified: 22 May 2025
Version Permalink

Procedure Examples

ID Name Description
G1052 Contagious Interview

Contagious Interview has relied on users to install a malicious library from a code repository to infect the victim's device and has led to additional payload distribution and theft of sensitive data.[3][4][5][6][7][8][9][10][11][12]

Mitigations

ID Mitigation Description
M1033 Limit Software Installation

Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.

M1031 Network Intrusion Prevention

Network prevention intrusion systems and systems designed to scan and remove malicious downloads can be used to block activity.

M1017 User Training

Train developers to be aware of the existence of malicious libraries and how to avoid installing them.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0252 User-Initiated Malicious Library Installation via Package Manager (T1204.005) AN0698

User-initiated installation of Python (pip), NodeJS (npm), or other language libraries, followed by unexpected network connections, credential access, or startup file modifications. Defender sees pip install or npm install commands run by a non-root user, followed shortly by new .py, .sh, or .js files in hidden directories, or interpreter-based execution during boot/login.
AN0699

Execution of pip.exe, npm.cmd, or MSI installers within user context, followed by script interpreter startup (e.g., python.exe) or PowerShell with unusual child processes or file writes in %APPDATA%, %TEMP%, or %LOCALAPPDATA%. Defender correlates command-line install tools with Sysmon and Event Logs to trace downstream behavior.
AN0700

Execution of Homebrew, pip3, npm, or manually downloaded PKGs from Terminal or shell, followed by the creation of startup agents, interpreter spawns, or outbound connections to unfamiliar domains. Defender links Terminal commands to plist creation, unsigned binary launches, and python3 or node processes connecting to remote endpoints.

References

  1. Sebastian Obregoso and Christophe Tafani-Dereeper. (2024, May 23). Malicious PyPI packages targeting highly specific MacOS machines. Retrieved May 22, 2025.
  2. Jin Lee and Jenna Wang. (2023, October 2). Malicious Packages Hidden in NPM. Retrieved May 22, 2025.
  3. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
  4. Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.
  5. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
  6. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025.
  1. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  2. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  3. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  4. Securonix Threat Research, D.Iuzvyk, T. Peck, O.Kolesnikov. (2024, April 24). Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors. Retrieved October 20, 2025.
  5. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  6. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.