A sophisticated supply chain attack is targeting ASP.NET developers, with four malicious NuGet packages designed to steal sensitive login credentials and establish persistent backdoors within web applications. These nefarious packages, identified by security researchers, have already garnered significant downloads, raising alarms about the security of the software development ecosystem. The primary keyword for this article is “malicious NuGet packages.”
The compromised NuGet packages include NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_. They were published onto the NuGet platform between August 12 and August 21, 2024, by a threat actor operating under the username “hamzazaheer.” Collectively, these packages have amassed over 4,500 downloads, indicating a wide potential reach for the attack. This incident highlights the ongoing risks associated with third-party code dependencies in modern software development.
Malicious NuGet Packages Exploit Developer Trust
The attack cleverly exploits the trust developers place in publicly available libraries. NCryptYo, for instance, masquerades as a legitimate cryptography library. It achieves this through typosquatting, mimicking the widely used NCrypto package. Furthermore, its DLL filename, NCrypt.dll, imitates Windows’ native Cryptography API: Next Generation (CNG) provider, and its namespace mirrors Microsoft’s own cryptography APIs. This deliberate deception aims to lull developers into a false sense of security.
A critical element of the NCryptYo package is its static constructor. This code executes automatically the moment the assembly is loaded, even before any developer invokes a method call. This allows the malicious code to silently deploy a hidden proxy on the local machine, specifically at port 7152. This proxy then relays traffic to an external server controlled by the attackers, creating an immediate channel for data exfiltration.
Security researchers at Socket.dev were instrumental in uncovering the full scope of this campaign. They identified shared infrastructure across all four malicious packages, confirming a single operator was behind them. Analysis revealed that DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ all share an identical byte-for-byte hardcoded authentication token. This token is encoded using GZip compression and custom Base64 substitutions, further solidifying the attribution to the same threat actor.
The effectiveness of the obfuscation techniques employed is evident in the VirusTotal analysis. Out of 72 security vendors, only one flagged the NCrypt.dll file. This low detection rate underscores the challenges in identifying heavily obfuscated .NET malware that evades standard security scanning tools. Efforts to enhance detection for such threats are ongoing.
Targeted Data and Backdoor Functionality
Once infected, the DOMOAuth2_ and IRAOAuth2.0 packages work to silently extract valuable ASP.NET Identity data. This includes user account IDs, role assignments, and permission mappings. This sensitive information is then routed through the local proxy to the attacker-controlled server.
In parallel, SimpleWriter_, which disguises itself as a PDF conversion tool, has a more insidious purpose. It writes files controlled by the threat actor to the disk and executes hidden processes without any visible window. The ultimate goal extends beyond compromising individual developer workstations; the intention is to infiltrate production applications and, by extension, the data of end users.
JIT Hooking: The Core Infection Mechanism
NCryptYo employs a sophisticated technique known as Just-In-Time (JIT) compiler hijacking to evade detection. In a typical .NET environment, methods are compiled just before they are executed. However, this malicious package intercepts this process by inserting its own hook. This allows the malicious code to be decrypted and become active only at the precise moment of execution, rendering it invisible to static analysis tools that examine code before it runs.
The DLL is further protected by .NET Reactor obfuscation, a powerful tool used to make code harder to reverse-engineer. This obfuscation includes a 14-day expiry timer and anti-debugging checks, adding layers of complexity for security researchers attempting to analyze the malware.
Embedded within the package are five encrypted resources. The largest of these, a 126 KB payload, is responsible for constructing the hidden proxy tunnel that connects to the attacker’s external server. This persistent connection is crucial for maintaining access and exfiltrating stolen data over time.
Developers are urged to exercise extreme caution when incorporating third-party libraries into their projects. Verifying package names for typos, checking author identities, and reviewing download histories are critical steps in mitigating supply chain risks. Monitoring network traffic for unusual activity on localhost ports can also provide early warning signs of compromise.
For security teams, implementing automated scanning within CI/CD pipelines is essential. These scans should look for indicators of obfuscation, misuse of static constructors, and the presence of embedded encrypted payloads before any package is integrated into a production build. Proactive measures are vital in defending against these evolving threats.
The ongoing investigation into these malicious NuGet packages signifies the persistent threat of supply chain attacks. Security vendors and platform providers will likely enhance their detection capabilities for obfuscated .NET code and the abuse of package installation mechanisms. Developers are advised to stay informed about emerging threats and consistently update their security practices to safeguard their applications and user data.