Cybersecurity researchers have discovered four malicious NuGet packages designed to target ASP.NET web application developers and steal sensitive data.
The campaign, discovered by Socket, not only steals ASP.NET identity data such as user accounts, role assignments, and permission mappings, but also manipulates authorization rules to create persistent backdoors in victim applications.
The names of the packages are listed below –
NCryptYo DOMOAuth2_ IRAOAuth2.0 SimpleWriter_
The NuGet package was published to the repository by a user named hamzazaheer between August 12 and 21, 2024. These have since been removed from the repository following responsible disclosure, but have since amassed over 4,500 downloads.
According to the software supply chain security firm, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 and relays traffic to an attacker-controlled command and control (C2) server. The C2 server address is obtained dynamically at runtime. It is worth noting that NCryptYo attempts to impersonate a legitimate NCrypto package.
DOMOAuth2_ and IRAOAuth2.0 steal identity data and backdoor apps. SimpleWriter_, on the other hand, functions as a PDF conversion utility while also providing unconditional file writing and hidden process execution. Analysis of the package metadata revealed identical build environments, indicating that this campaign was the work of a single actor.
“NCryptYo is a stage 1 run-on-load dropper,” said security researcher Kush Pandya. “Once the assembly is loaded, its static constructor installs a JIT compiler hook that decrypts the embedded payload and deploys the stage 2 binary. This is a localhost proxy on port 7152 that relays traffic between the companion package and the attacker’s external C2 server, whose address is resolved dynamically at runtime.”
Once the proxy is activated, DOMOAuth2_ and IRAOAuth2.0 begin sending ASP.NET identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are processed by the application, granting administrative roles, changing access controls, or disabling security checks to create a persistent backdoor. SimpleWriter_ writes attacker-controlled content to disk and executes the dropped binary in a hidden window.
It is not clear exactly how users are persuaded to download these packages, as the attack chain only begins after all four are installed.
“The goal of this campaign is not to directly compromise developers’ machines, but rather to compromise the applications they build,” Pandya explained. “By controlling the authentication layer during development, attackers can gain access to deployed production applications.”
“Once a victim deploys an ASP.NET application with malicious dependencies, the C2 infrastructure remains active in production, continuously extracting authorization data and accepting modified authorization rules. Threat actors or purchasers can then grant themselves administrator-level access to the deployed instances.”
This disclosure comes after Tenable disclosed details of a malicious npm package named ambar-src that accumulated over 50,000 downloads before being removed from the JavaScript registry. Uploaded to npm on February 13, 2026.
This package leverages npm’s preinstallation script hook to trigger execution of malicious code contained within index.js during installation. The malware is designed to execute one-liner commands that retrieve various payloads from the domain ‘x-ya’.[.]ru” based operating systems –
On Windows, download and run a file called msinit.exe that contains encrypted shellcode. This file is decoded and loaded into memory. On Linux, grab a bash script and run it. The bash script then retrieves another payload from the same server: an ELF binary that acts as an SSH-based reverse shell client. On macOS, you get a separate script using osascript to run the JavaScript responsible for dropping Apfell. Apfell is part of the Mythic C2 framework’s JavaScript for Automation (JXA) agent that can perform reconnaissance, collect screenshots, steal data from Google Chrome, and display fake prompts to retrieve system passwords.
“It uses multiple techniques to evade detection and target developers on Windows, Linux, and macOS hosts to drop sophisticated open-source malware,” the company said in a statement.
Once the data is collected, attackers exfiltrate it to Yandex Cloud domains in order to blend in with legitimate traffic and take advantage of the fact that trusted services are less likely to be blocked within corporate networks.
Ambar-src is considered to be a more mature variant of eslint-verify-plugin. eslint-verify-plugin is another rogue npm package that was recently flagged by JFrog for dropping the Mythic agents Poseidon and Apfell on Linux and macOS systems.
“If this package is installed or running on a computer, that system should be considered fully compromised,” Tenable said. “Packages should be removed, but because an external entity may have complete control of your computer, removing a package may not remove all resulting malicious software.”
Source link
