Package Maintainer Takeover
Reset maintainer password via dormant email domain re-registration / leaked npm token / dependency confusion — publish a malicious version.
§ Where this technique fits
SUP-PACKAGE-TAKEOVER is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 2.3 on average.
§ Dossiers chaining this technique
- step 1 / 5
GitHub Action tag mutation → silent supply-chain hijack
Target pins an action by tag (uses: org/action@v3). Compromise the action repo and move the v3 tag to a malicious commit — every workflow using it pulls in the backdoor.
- step 2 / 5
Compromised extension auto-update → fleet compromise
Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.
- step 4 / 6
Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
§ What commonly comes next
- 01Extension Update Channel Takeoverseen 1×BX-EXT-UPDATE-TAKEOVER · Persistence
- 02Valid Accountsseen 1×T1078 · Initial Access
- 03npm / PyPI / RubyGems Typosquatseen 1×SUP-NPM-TYPOSQUAT · Initial Access