T1036

Masquerading

discovered 2024-12-11

Packages masquerade as an internal 'Platform Engineering Team' library set. Constant scope-parameterized metadata fingerprint: README marker 'Internal package — Platform Engineering Team'; author '<Scope> Platform Engineering <platform@<scope>.io>'; repository git+https://github.<scope>.io/platform/<pkg>.git; bugs https://jira.<scope>.io/projects/PLATFORM; homepage https://docs.<scope>.io/platform/<pkg>; fake internal registry lure registry=https://npm.<scope>.io; telemetry cover story to telemetry.<scope>.io; descriptions from a fixed pool (e.g. 'Internal structured logger ... remote drain support', 'Internal configuration loader with env, vault and remote config support'). A decoy dist/index.js require()s a ../src/index.js absent from the tarball, so the library is non-functional and only the postinstall executes.

View on MITRE ATT&CK

Seen in packages

Campaigns