"Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit until the latter part of this decade. Socket's researchers identified nine malicious packages on the .NET package manager containing destructive code due to trigger between 2027 and 2028, with one affecting "safety-critical systems in manufacturing environments.""
"Kush Pandya, security engineer at Socket, said 99 percent of the code among these packages was benign, which serves as a trust-builder. He wrote: "This legitimate functionality serves multiple purposes: it builds trust as packages work as advertised, passes code reviews where reviewers see familiar patterns and real implementations, provides actual value encouraging adoption, masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks.""
Security researchers removed a set of NuGet packages published in 2023 and 2024 that concealed malicious code intended to cause destructive failures years later. Socket researchers found nine malicious packages among 12 published by user shanhai666; the malicious packages were downloaded nearly 10,000 times. Most package code was legitimate, with roughly 99 percent benign, enabling trust and delaying detection while a ~20-line payload remained hidden. Several packages targeted major databases (SQL Server, PostgreSQL, SQLite) and were designed to induce a 20% chance of terminating host processes after trigger dates in 2027–2028. One package, Sharp7Extend, targeted Siemens S7 PLCs used in manufacturing.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]