Dependency or Package Manipulation

A subject alters, introduces, or replaces software dependencies, libraries, or packages within an organizational codebase in a manner that introduces risk, bypasses approval processes, or embeds untrusted components.

This may include adding unapproved third-party libraries, switching to compromised or unofficial package sources, modifying dependency versions without validation, or introducing internally controlled packages that contain hidden or harmful functionality.

Dependency or package manipulation extends the codebase beyond internally developed logic, incorporating external or opaque components that may not be subject to the same level of scrutiny. This can introduce vulnerabilities, licensing issues, or supply chain risk, and may serve as a vector for indirect compromise of systems.