The act of inserting malicious logic into a software package so that normal installation or import triggers attacker-controlled behaviour. In supply chain attacks, trojanised packages often inherit user trust from a legitimate name while performing credential theft, data manipulation, or persistence once executed.
Expanded Definition
Package trojanisation is a software supply chain compromise in which a legitimate-looking package is altered so that installation, import, or routine execution activates attacker-controlled logic. In NHI and agentic environments, the key issue is not only code tampering but also the abuse of embedded secrets, service credentials, and automation hooks that the package can reach.
Definitions vary across vendors on whether the term should include malicious typosquatting, dependency confusion, or only direct modification of an existing package. At NHI Management Group, the practical boundary is whether a trusted package name or update path is being used to deliver harmful behavior into a runtime, build pipeline, or agent workflow. That matters because the risk often appears during normal developer activity, not at an obvious attack boundary. Standards such as the NIST Cybersecurity Framework 2.0 frame this as supply chain integrity and protective control failure rather than a standalone malware category. The most common misapplication is treating package trojanisation as a simple malware detection problem, which occurs when teams scan only final artifacts and ignore dependency provenance, package maintainer trust, and install-time execution paths.
Examples and Use Cases
Implementing controls against package trojanisation rigorously often introduces friction in development velocity, requiring organisations to weigh rapid dependency adoption against stronger provenance checks and release gating.
- A maintainer account is compromised and a new release adds code that steals API keys during post-install execution.
- A build system pulls a dependency from a public registry after a name collision, then executes hidden logic during import.
- An internal agent uses a package that was safe in earlier versions, but an update now includes persistence or exfiltration steps.
- A CI/CD pipeline installs a trojanised package, and the payload reads cloud tokens from environment variables during test runs.
- A dependency chain includes a malicious transitive package that activates only in production, making manual review ineffective.
Incident patterns like the LiteLLM PyPI package breach show how trust in familiar package ecosystems can be exploited once malicious code lands in an update or install path. Controls recommended by CISA secure software development guidance and provenance practices such as SLSA become especially relevant where packages are consumed by automation, build agents, or AI toolchains.
Why It Matters in NHI Security
Package trojanisation is an NHI problem because the payload often targets the identities embedded in software: service account tokens, cloud keys, signing material, and automation credentials. Once those secrets are exposed, the compromise extends beyond the package itself and can be reused to impersonate workloads, access data, or pivot across environments. NHI Mgmt Group research shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which makes a trojanised package especially dangerous when secrets are stored in code, CI/CD systems, or runtime variables.
This risk also undermines zero trust and software supply chain assurance. If package provenance, maintainership, and integrity are not continuously verified, a trusted dependency can become a covert access path into production systems. The NIST AI Risk Management Framework is relevant where agentic systems ingest packages dynamically, because the software artifact becomes part of the model-and-tool execution surface rather than a passive library. Organisational monitoring should therefore focus on package trust, secret exposure, and post-install behavior together, not as separate problems.
Organisations typically encounter the impact only after unusual outbound connections, revoked tokens, or unauthorized package updates are traced back to a dependency incident, at which point package trojanisation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and improper handling that trojanised packages often exploit. |
| NIST CSF 2.0 | PR.DS | Addresses data and software integrity protections for trusted dependencies and pipelines. |
| NIST AI RMF | AI systems inherit supply chain risk when packages can alter tool or agent behavior. |
Inventory package-bound secrets, rotate exposed credentials, and block runtime access to long-lived tokens.
Related resources from NHI Mgmt Group
- How should teams reduce risk from malicious npm package installs?
- When does a compromised developer package become a major security risk?
- When should teams treat a package compromise as a cloud security event?
- How should security teams protect npm and package publishing workflows from identity compromise?
