A set of nine malicious NuGet packages were identified that can disrupt industrial control systems by dropping time-delayed payloads and interfering with database operations.
According to software supply chain security firm Socket, the packages were published by a user named “shanhai666” in 2023 and 2024 and are designed to execute malicious code after specific trigger dates in August 2027 and November 2028. The package was downloaded a total of 9,488 times.
Security researcher Kush Pandya said, “The most dangerous package, Sharp7Extend, targets industrial PLCs with a dual interference mechanism of immediate random process termination and silent write failures that begin 30 to 90 minutes after installation, impacting safety-critical systems in manufacturing environments.”
The list of malicious packages is below –
MyDbRepository (last updated May 13, 2023) MCDbRepository (last updated June 5, 2024) Sharp7Extend (last updated August 14, 2024) SqlDbRepository (last updated October 24, 2024) SqlRepository (last updated October 2024) 25 days) SqlUnicornCoreTest (last updated on October 24, 2024) October 26, 2024) SqlUnicornCore (last updated on October 26, 2024) SqlUnicorn.Core (last updated on October 27, 2024) SqlLiteRepository (last updated on 2024) October 28th)
Socket said that because all nine malicious packages worked as advertised, attackers could build trust among downstream developers, who could download the packages without realizing that they contained logic bombs that were meant to go off in the future.
The attacker published a total of 12 packages, the remaining three of which were found to work as intended without any malicious functionality. All of them have been removed from NuGet. Sharp7Extend is designed to target users of the genuine Sharp7 library, a .NET implementation for communicating with the Siemens S7 programmable logic controller (PLC), the company added.
Bundling Sharp7 into a NuGet package provides a false sense of security, but the fact that the library surreptitiously injects malicious code when an application abuses C# extension methods to perform database queries or PLC operations is false.
“Extension methods allow developers to add new methods to existing types without changing the original code. This is a powerful C# feature that threat actors weaponize for interception,” Pandya explained. “Each time your application performs a database query or PLC operation, these extension methods automatically run and check the current date and trigger date (hardcoded in most packages, and configuration encrypted in Sharp7Extend).”
After the trigger date, the malware has a 20% chance of terminating the entire application process. In the case of Sharp7Extend, the malicious logic becomes active immediately after installation and persists until June 6, 2028, when the termination mechanism automatically stops.
This package also includes a feature that prevents write operations to the PLC with an 80% probability after a random delay of 30 to 90 minutes. This also means that once the grace period expires, both the random process termination and write failure triggers will work at the same time.
Meanwhile, certain SQL Server, PostgreSQL, and SQLite implementations associated with other packages are set to trigger on August 8, 2027 (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).
“This staggered approach gives attackers more time to recruit victims before the delayed-onset malware is activated, while simultaneously disrupting industrial control systems instantly,” Pandya said.
It is currently unclear who is behind the supply chain attack, but Socket said source code analysis and the choice of the name shanhai666 suggest it is the work of a threat actor, likely originating from China.
“This campaign demonstrates sophisticated techniques that are rarely combined in NuGet supply chain attacks,” the company concluded. “Developers who installed the package in 2024 will have moved on to other projects or companies by 2027-2028, when the database malware is activated. It has a 20% chance of being executed, and a coordinated attack is disguised as a random crash or hardware failure.”
“This makes incident response and forensic investigations nearly impossible, leaving organizations unable to trace malware back to the point of introduction, determine who installed compromised dependencies, or establish a clear timeline of compromise, effectively erasing any paper trail of an attack.”
Source link
