New Blog: Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised
Edit Calendar Icon 19 May 2026
SafeDep Logo

Tactics, Techniques & Procedures

Attack patterns observed in the wild, mapped to MITRE ATT&CK where applicable.

T1203
Exploitation for Client Execution

Malicious package content delivers exploit code intended to execute in a client application context.

MITRE ATT&CK ↗
T1556
Modify Authentication Process: implant 2FA on victim Telegram account

Hardcoded 2FA password and recovery email installed on victim accounts via Telegram updateTwoFaSettings, with the operator's IMAP mailbox auto-submitting the confirmation code.

MITRE ATT&CK ↗
OTP harvesting via Telegram chat 777000

Listens for messages on Telegram's official OTP sender chat 777000 and forwards every login code to operator-controlled bot channels.

T1021
Remote Services

Malware propagates or executes across additional systems by abusing remote management channels.

MITRE ATT&CK ↗
T1098
Account Manipulation

Malware modifies account state, access paths, sessions, or authorization material to expand or preserve access.

MITRE ATT&CK ↗
T1027
Obfuscated Files or Information

Malware hides payloads, strings, or logic through obfuscation, encoding, or non-obvious containers.

MITRE ATT&CK ↗
T1528
Steal Application Access Token

Malware steals application, cloud, package registry, CI/CD, or developer platform access tokens.

MITRE ATT&CK ↗
T1485
Data Destruction

Malware deletes, corrupts, or otherwise destroys local data or system state.

MITRE ATT&CK ↗
T1102
Web Service

Malware abuses legitimate web services such as Telegram, Discord, GitHub, Cloudflare Workers, or SaaS APIs for C2 or exfiltration.

MITRE ATT&CK ↗
T1059.006
Command and Scripting Interpreter: Python

Malware executes Python through PyPI package setup, install, or imported package code.

MITRE ATT&CK ↗
T1552.001
Unsecured Credentials: Credentials In Files

Malware searches local files, configuration, environment material, or developer workspaces for credentials.

MITRE ATT&CK ↗
T1041
Exfiltration Over C2 Channel

Collected credentials, files, or host data are sent to attacker-controlled infrastructure.

MITRE ATT&CK ↗
T1552.004
Unsecured Credentials: Private Keys

Malware targets SSH keys, wallet private keys, or other private key material.

MITRE ATT&CK ↗
T1071.004
Application Layer Protocol: DNS

Malware uses DNS requests as a command-and-control or exfiltration transport.

MITRE ATT&CK ↗
T1539
Steal Web Session Cookie

Malware targets browser cookies or session material for account takeover or downstream access.

MITRE ATT&CK ↗
T1071.001
Application Layer Protocol: Web Protocols

Malware uses HTTP, HTTPS, or WebSocket traffic for command-and-control or data movement.

MITRE ATT&CK ↗
T1546
Event Triggered Execution

Malware relies on package lifecycle events, hooks, or other trigger points to execute or maintain access.

MITRE ATT&CK ↗
T1036
Masquerading: package impersonation and typosquatting

Package names, metadata, or publishing context imitate legitimate public or private dependencies.

MITRE ATT&CK ↗
T1195.001
Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Malicious code is distributed through package registry artifacts or trusted developer tooling dependencies.

MITRE ATT&CK ↗
T1059.007
Command and Scripting Interpreter: JavaScript

Malware executes JavaScript through npm package entrypoints, lifecycle hooks, or imported package code.

MITRE ATT&CK ↗
T1105
Ingress Tool Transfer

Package code retrieves additional payloads, tools, or stage-two malware after execution.

MITRE ATT&CK ↗