Rogue NuGet Packages Infect .NET Builders with Crypto-Stealing Malware

Deal Score0
Deal Score0

Mar 22, 2023Ravie LakshmananDevOpsSec / Malware

The NuGet repository is the goal of a brand new “refined and highly-malicious assault” aiming to contaminate .NET developer methods with cryptocurrency stealer malware.

The 13 rogue packages, which have been downloaded greater than 160,000 occasions over the previous month, have since been taken down.

“The packages contained a PowerShell script that may execute upon set up and set off a obtain of a ‘second stage’ payload, which could possibly be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli said.

Whereas NuGet packages have been prior to now discovered to contain vulnerabilities and be abused to propagate phishing links, the event marks the first-ever discovery of packages with malicious code.

Three of essentially the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Internet, and DiscordRichPresence.API – alone accounted for 166,000 downloads, though it is also doable that the menace actors artificially inflated the obtain counts utilizing bots to make them seem extra reputable.

The usage of Coinbase and Discord underscores the continued reliance on typosquatting strategies, through which faux packages are assigned names which might be much like reputable packages, so as to trick builders into downloading them.

The malware included inside the software program packages features as a dropper script and is designed to mechanically run a PowerShell code that retrieves a follow-on binary from a hard-coded server.

As an added obfuscation mechanism, some packages didn’t embed a malicious payload straight, as a substitute fetching it through one other booby-trapped bundle as a dependency.

Much more troublingly, the connection to the command-and-control (C2) server happens over HTTP (versus HTTPS), rendering it susceptible to an adversary-in-the-middle (AiTM) assault.

The second-stage malware is what JFrog describes as a “fully customized executable payload” that may be dynamically switched at will because it’s retrieved from the C2 server.


Uncover the Hidden Risks of Third-Social gathering SaaS Apps

Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be a part of our webinar to be taught concerning the varieties of permissions being granted and easy methods to reduce threat.


The second-stage delivers a number of capabilities that embody a crypto stealer and an auto-updater module that pings the C2 server for an up to date model of the malware.

The findings come because the software program provide chain has develop into an more and more profitable pathway to compromise builders’ methods and stealthily propagate backdoored code to downstream customers.

“This proves that no open supply repository is protected from malicious actors,” Shachar Menashe, senior director at JFrog Safety Analysis, stated in an announcement shared with The Hacker Information.

“.NET builders utilizing NuGet are nonetheless at excessive threat of malicious code infecting their environments and will take warning when curating open-source elements to be used of their builds – and at each step of the software program growth lifecycle – to make sure the software program provide chain stays safe.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

We will be happy to hear your thoughts

Leave a reply
Enable registration in settings - general