Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.
The embedded malicious code uses a probabilistic trigger, so it may or may not activate depending on a set of parameters on the infected device.
NuGet is an open-source package manager and software distribution system, enabling developers to download and include ready-to-run .NET libraries for their projects.
Researchers at code security company Socket found nine malicious packages on NuGet, all published under the developer name shanhai666, that featured legitimate functionality along with the harmful code.
The packages "strategically target all three major database providers used in .NET applications (SQL Server, PostgreSQL, SQLite)." However, the most dangerous of them is Sharp7Extend, which targets users of the legitimate Sharp7 library for communicating over ethernet with Siemens programmable logic controllers (PLCs).
"By appending "Extend" to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements," Socket researchers said.
Under the shanhai666 developer name, NuGet listed 12 packages, but only nine of them included malicious code:
SqlUnicorn.Core SqlDbRepository SqlLiteRepository SqlUnicornCoreTest SqlUnicornCore SqlRepository MyDbRepository MCDbRepository Sharp7Extend
At publishing time, there are no packages listed under that developer's name. But it should be noted that the delisting occurred after the download count almost reached 9,500.
Sneaking a “bomb” for 2028
... continue reading