T1195.002 — Compromise Software Supply Chain

Technique

T1195.002

Tactics

Initial Access

MISP citations

0

KEV CVEs mapped

2

Community rules

15

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1195/002

MITRE description

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-4978
• CVE-2021-44529

Detection coverage

SigmaHQ community rules

• Shai-Hulud Malicious Bun Execution - Linux (emerging-threats)
• Shai-Hulud 2.0 Malicious NPM Package Installation - Linux (emerging-threats)
• Shai-Hulud Malicious Bun Execution (emerging-threats)
• Shai-Hulud 2.0 Malicious NPM Package Installation (emerging-threats)
• Axios NPM Compromise File Creation Indicators - Linux (emerging-threats)
• Axios NPM Compromise File Creation Indicators - MacOS (emerging-threats)
• Axios NPM Compromise File Creation Indicators - Windows (emerging-threats)
• Axios NPM Compromise Indicators - Linux (emerging-threats)
• Axios NPM Compromise Indicators - macOS (emerging-threats)
• Axios NPM Compromise Indicators - Windows (emerging-threats)
• TeamPCP LiteLLM Supply Chain Attack Persistence Indicators (emerging-threats)
• LiteLLM / TeamPCP Supply Chain Attack Indicators (emerging-threats)
• Notepad++ Updater DNS Query to Uncommon Domains (core)
• Uncommon File Created by Notepad++ Updater Gup.EXE (core)
• Suspicious Child Process of Notepad++ Updater - GUP.Exe (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.