TriageP1~90 min

Scope a Supply-Chain Compromise

Identify the compromised vendor, affected software versions, and the blast radius across the estate using SBOMs, package managers, and deployment telemetry. Confirm whether the malicious artifact is actually present and executed, not only downloaded, so containment can be focused.

Actions

  1. 1

    Pull the vendor advisory and record: affected product, affected versions, published IoCs (hashes, domains, certificates), and the earliest known malicious release timestamp.

  2. 2

    Query SBOMs and package registries (npm ls, pip freeze, go list -m all, Trivy SBOM, Syft output) across build systems and runtime hosts for the affected package and version range.

  3. 3

    Across EDR telemetry, search for the malicious hash(es) as `FileHash` and as a loaded module parent: `DeviceFileEvents | where SHA256 in~ (<hashes>)` joined with `DeviceProcessEvents | where SHA256 in~ (<hashes>)` to separate "present on disk" from "actually executed".

  4. 4

    Check artifact repositories (JFrog, Nexus, GitHub Packages, internal PyPI mirror) for upload timestamps and download counts of the affected package to estimate blast radius.

  5. 5

    Search CI/CD logs (GitHub Actions, GitLab CI, Jenkins, Buildkite) for pipelines that installed the compromised package during the malicious-version window.

  6. 6

    Cross-reference outbound network telemetry for the vendor-disclosed C2 domains/IPs -- this is often faster than finding the artifact itself in a large estate.

Queries

DeviceFileEvents | where SHA256 in~ ("<hash1>","<hash2>") | summarize first_seen=min(Timestamp), hosts=make_set(DeviceName) by SHA256, FileName
DeviceProcessEvents | where SHA256 in~ ("<hash1>","<hash2>") or InitiatingProcessSHA256 in~ ("<hash1>","<hash2>") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
DeviceNetworkEvents | where RemoteUrl has_any ("<c2-domain-1>","<c2-domain-2>") or RemoteIP in ("<c2-ip-1>") | summarize conns=count() by DeviceName, RemoteUrl, RemoteIP
index=ci sourcetype=github-actions earliest=<malicious-release-ts> ("npm install" OR "pip install" OR "go get") package="<compromised-pkg>" | stats values(repo), values(branch), min(_time), max(_time) by package

Notes

Distinguish "downloaded" from "executed" early. A package being present in node_modules or a Docker image layer does not necessarily mean the malicious payload ran -- check for the specific malicious function invocation, C2 callback, or post-install hook execution.

For signed malicious updates, hash-based IoCs are reliable but signing-chain IoCs (certificate thumbprints) can be more useful for hunting untagged versions.

If the vendor has not yet published IoCs, request private sharing under NDA through an ISAC or trusted peer channel -- do not wait for public disclosure.

Where to Go Next

Malicious payload was executed on affected hosts

Roll back and block the compromised release

Compromised package reached CI/CD but no execution confirmed

Preserve CI/CD and registry logs for later verification

Scope is unclear and vendor advisory is incomplete

Escalate vendor log request

Related Resources

Artifacts

3
AmCache.hveUnified Audit Log (UAL)Systemd Journal (Persistent Binary Logs)

Common Blockers

2
Compromised Vendor Artifact Provenance LostAttack Delivered via Legitimately Signed Update

Suggested Acquisition

4
FTK Imager Full Disk ImageEnCase Forensic Full Disk Imagedd / dc3dd Raw Disk ImageGuymager Full Disk Image