Security researchers have uncovered malicious packages on NuGet that act as time-delayed time bombs aimed at databases and industry systems.
The attack, discovered by Socket, involves nine malicious packages published on the NuGet registry. While several packages target databases with dormant code set to trigger in 2027 and 2028, the most alarming is Sharp7Extend, a package that directly targets industrial control systems (ICS).
This package is a “typosquat,” designed to trick developers searching for the legitimate Sharp7 library, a popular tool for communicating with Siemens S7 Programmable Logic Controllers (PLCs). These PLCs are workhorses in manufacturing, energy, and logistics to manage physical processes.
To ensure adoption, Sharp7Extend bundles the unmodified legitimate Sharp7 library, making it appear fully functional during testing. However, the package contains two sabotage mechanisms. The first activates immediately, causing the host application to randomly crash 20 percent of the time it communicates with a PLC. The second and more insidious attack waits for a “grace period” of 30 to 90 minutes after installation before silently causing 80 percent of PLC write operations to fail.
This means an application believes it has successfully sent a command – like “engage safety system” or “update setpoint” – but the command is never executed, leading to data corruption and potential physical safety risks.
This industrial-focused package on NuGet is just one piece of a wider campaign that has amassed nearly 9,500 downloads. The threat actor, ‘shanhai666,’ employed several techniques to build trust and evade detection across all nine malicious packages.
The packages are reported to be 99 percent functional, providing working implementations of advertised features like database repository patterns and transaction management. The actor even published three completely legitimate packages to establish a credible profile. This high-quality and functional code serves as a Trojan horse, hiding the malicious payload within thousands of lines of legitimate implementation.
The malware activates using C# extension methods; a feature of the language that allows the attacker’s code to run transparently every time an application performs a database query or PLC operation. For the database packages, this malicious code lies dormant after install from NuGet until trigger dates in 2027 and 2028, at which point it has a 20 percent chance of instantly terminating the entire application on each query.
Due to the probabilistic and time-delayed nature of the attacks, attribution is almost impossible. An application that suddenly begins crashing in 2027 is unlikely to be traced back to a seemingly normal dependency installed by a developer in 2024, who may have long since left the organisation. The random crashes mimic intermittent bugs, frustrating forensic efforts.
Traditional security vetting is no longer sufficient. The immediate priority is a comprehensive audit of all .NET applications to scan for the nine malicious NuGet packages. Any system running Sharp7Extend should be considered compromised and investigated for data integrity issues.
This latest campaign of malicious packages on NuGet shows how operational technology (OT) is being directly and actively targeted via IT supply chains. New controls, such as write verification for PLC communications and baseline monitoring, must be implemented to detect anomalous failure rates. Security must evolve beyond checking for known vulnerabilities towards actively hunting for malicious intent through behavioural analysis of all third-party code.
See also: BMC: Modernising mainframes for today’s developers
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.