Critical Malicious Nuget Packages Drop Disruptive 'time Bombs'

Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.

The embedded malicious code uses a probabilistic trigger, so it may or may not activate depending on a set of parameters on the infected device.

NuGet is an open-source package manager and software distribution system, enabling developers to download and include ready-to-run .NET libraries for their projects.

Researchers at code security company Socket found nine malicious packages on NuGet, all published under the developer name shanhai666, that featured legitimate functionality along with the harmful code.

The packages "strategically target all three major database providers used in .NET applications (SQL Server, PostgreSQL, SQLite)." However, the most dangerous of them is Sharp7Extend, which targets users of the legitimate Sharp7 library for communicating over ethernet with Siemens programmable logic controllers (PLCs).

"By appending "Extend" to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements," Socket researchers said.

Under the shanhai666 developer name, NuGet listed 12 packages, but only nine of them included malicious code:

At publishing time, there are no packages listed under that developer's name. But it should be noted that the delisting occurred after the download count almost reached 9,500.

According to Socket researchers, the packages contain mostly (99%) legitimate code, creating a false sense of safety and trust, but include a small 20-line malicious payload.

"The malware exploits C# extension methods to transparently inject malicious logic into every database and PLC operation," Socket explains in a report this week.

Source: BleepingComputer