Last reviewed:
T1195.001 is the initial-access technique that turns the developer's own dependency graph into the attacker's entry point: trojaned PyPI packages, malicious GitHub Actions, compromised npm publishers. The May 2026 TeamPCP raid on LiteLLM, BerriAI, Trivy, and Checkmarx made AI gateway packages the worked example. DCV does not catch the install step itself; it maps the downstream cloud signal that follows, build-host outbound connections, IAM token reads from CI runners, audit-log gaps where stolen credentials are already in use. Treat AI gateway packages as identity infrastructure when scoping detection coverage.
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.
Additionally, CI/CD pipeline components, such as GitHub Actions, may be targeted in order to gain access to the building, testing, and deployment cycles of an application. By adding malicious code into a GitHub action, a threat actor may be able to collect runtime credentials (e.g., via Proc Filesystem) or insert further malicious components into the build pipelines for a second-order supply chain compromise. As GitHub Actions are often dependent on other GitHub Actions, threat actors may be able to infect a large number of repositories via the compromise of a single Action.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
Platforms: Linux, macOS, Windows.
DCV does not currently ship a cloud-audit-log finding mapped directly to T1195.001. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables.
CloudSigma does not currently ship a stand-alone rule that fires on T1195.001 in isolation. Generate a starting-point rule from the CVE, vulnerability disclosure, or threat-research blog post that exercises this technique, then pair it with SIEM-side correlation before enabling in production.
High-fidelity detection of T1195.001 requires correlation
across multiple events. For example, a credential-validation call
followed by a reconnaissance chain (List* /
Describe*) within a short window from an unfamiliar
source. A single-event Sigma rule on
GetCallerIdentity alone fires constantly on
legitimate CLI, SDK and CI/CD activity.
Where you have a specific advisory, vulnerability disclosure or blog post that exercises T1195.001-style abuse, CloudSigma can generate a starting-point rule from that input. You then deploy it in your SIEM and combine it with the SIEM's native correlation features (timeframe joins across users, source-IP anomalies, impossible-travel checks). For T1195.001 specifically the generated rule is rarely sufficient on its own; pair it with the SIEM-side correlation logic before enabling in production.
T1195.001 is the initial-access technique that turns the developer's own dependency graph into the attacker's entry point: trojaned PyPI packages, malicious GitHub Actions, compromised npm publishers. The May 2026 TeamPCP raid on LiteLLM, BerriAI, Trivy, and Checkmarx made AI gateway packages the worked example. DCV does not catch the install step itself; it maps the downstream cloud signal that follows, build-host outbound connections, IAM token reads from CI runners, audit-log gaps where stolen credentials are already in use. Treat AI gateway packages as identity infrastructure when scoping detection coverage.
T1195.001 has no cloud-audit-log signal of its own; DCV does not currently ship a finding mapped directly to it. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables (see Related techniques).
T1195.001 is part of MITRE ATT&CK TA0001 Initial Access: How adversaries get into the environment.
T1195.001 requires multi-event correlation that exceeds a single Sigma rule's structure. CloudSigma can generate a starting-point rule from a CVE, vulnerability disclosure, or threat-research blog post that exercises T1195.001-style abuse; pair it with SIEM-side correlation logic before enabling in production.