New to CAPEC? Start Here
Home > CAPEC List > CAPEC-538: Open-Source Library Manipulation (Version 3.9)  

CAPEC-538: Open-Source Library Manipulation

Attack Pattern ID: 538
Abstraction: Detailed
View customized information:
+ Description
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:

    • The open-source code currently in use on a selected target system.
    • The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
    • The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
    • The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
    • The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.
  1. Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:

    • The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
    • Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
    • Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.
  1. Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

+ Prerequisites
Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
+ Skills Required
[Level: High]
Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.
+ Example Instances
An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.001Supply Chain Compromise: Software Dependencies and Development Tools
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow, Related_Attack_Patterns
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Taxonomy_Mappings
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
Previous Entry Names
Change DatePrevious Entry Name
(Version 3.5)
Open Source Libraries Altered
More information is available — Please select a different filter.
Page Last Updated or Reviewed: June 24, 2021