T1036
Masquerading
discovered 2024-12-11Commits authored as claude@ and as dependabot/renovate/github-actions bot identities with benign messages ('chore: update dependencies', 'fix: resolve lint warnings') to blend with automation; binary disguised as tools/setup and .github/scripts/precheck.
Seen in packages
- npm themes-vendoruses
- npm x509-escapinguses
- npm keycloak-serveruses
- npm module-stubuses
- npm postject-copyuses
- npm micrometer-docsuses
- npm orbit-playroomuses
- npm weekendfeuses
- npm chrome-api-utilsuses
- npm grafana-sentry-datasourceuses
- npm @patternfly-v5/patternflyuses
- npm electron-builder-13uses
- npm graphql.vscode-graphql-syntaxuses
- npm mattermost-cloudnative-bootstrapperuses
- npm nyc-configuses
- npm slf4j-api-jsuses
- npm express-cookie-parseruses
- npm tensorflowjsuses
- pypi bitensoruses
- pypi bittenso-cliuses
- pypi qbittensoruses
- pypi bittensouses
- npm hyatt-residential-rosteruses
- npm hyatt-albumuses
- npm hyatt-avataruses
- npm @Schedaero/shareduses
- npm pino-sdk-v2uses
- npm react-refresh-updateuses
- npm oc-aa-module-clientuses
- npm @wame/ngx-adfsuses
- npm @the-coca-cola-company/ngps-global-common-utilsuses
- npm cr-static-shared-componentsuses
- npm @ceeferenderer/fe-renderer-sdkuses
- npm express-session-jsuses
- npm strapi-plugin-cronuses
- npm strapi-plugin-configuses
- npm strapi-plugin-serveruses
- npm strapi-plugin-databaseuses
- npm strapi-plugin-coreuses
- npm strapi-plugin-hooksuses
- npm strapi-plugin-monitoruses
- npm strapi-plugin-eventsuses
- npm strapi-plugin-loggeruses
- npm strapi-plugin-healthuses
- npm strapi-plugin-syncuses
- npm strapi-plugin-seeduses
- npm strapi-plugin-localeuses
- npm strapi-plugin-formuses
- npm strapi-plugin-notifyuses
- npm strapi-plugin-apiuses
- npm strapi-plugin-sitemap-genuses
- npm strapi-plugin-nordica-toolsuses
- npm strapi-plugin-nordica-syncuses
- npm strapi-plugin-nordica-cmsuses
- npm strapi-plugin-nordica-apiuses
- npm strapi-plugin-nordica-reconuses
- npm strapi-plugin-nordica-stageuses
- npm strapi-plugin-nordica-vhostuses
- npm strapi-plugin-nordica-deepuses
- npm strapi-plugin-nordica-liteuses
- npm strapi-plugin-nordicauses
- npm strapi-plugin-finsevenuses
- npm strapi-plugin-hextestuses
- npm strapi-plugin-cms-toolsuses
- npm strapi-plugin-content-syncuses
- npm strapi-plugin-debug-toolsuses
- npm strapi-plugin-health-checkuses
- npm strapi-plugin-guardarian-extuses
- npm strapi-plugin-advanced-uuiduses
- npm strapi-plugin-blurhashuses
- npm sjs-bigintegeruses
- npm sjs-lint-build1uses
- npm bjs-bigintegeruses
- npm bjs-lint-builderuses
- npm bjs-lint-buildersuses
- npm cjs-bigintegeruses
- npm ts-lint-buildsuses
- npm @genoma-ui/componentsuses
- npm rrweb-v1uses
- npm @needl-ai/commonuses
- npm changiairportpromaxuses
- npm @cloudplatform-single-spa/billinguses
- npm @sber-ecom-core/sberpay-widgetuses
- npm @emcd-vue/authuses
- npm @emcd-vue/loansuses
- npm weavedb-sdkuses
- pypi gpt-pilotuses
Campaigns
- No Specific Campaignattributed-to
- Enterprise Dependency Confusionattributed-to
- Bittensor Typosquat Campaignattributed-to
- Strapi Plugin C2 Campaignattributed-to
- big.js Typosquat SSH Backdoorattributed-to
- oob-moika-tech-depconf-2026attributed-to
- IronWormattributed-to
- Miasma: The Spreading Blightattributed-to
