T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.