Malicious NuGet Packages Target ASP.NET Developers in Supply Chain Attack
A supply chain attack targeting ASP.NET developers has been uncovered, involving four malicious NuGet packages designed to steal credentials and deploy persistent backdoors in web applications. The packages NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ were published between August 12 and 21, 2024, by a threat actor using the username "hamzazaheer" and have amassed over 4,500 downloads collectively.
The attack begins with typosquatting, where NCryptYo impersonates the legitimate NCrypto cryptography library. Its DLL filename (NCrypt.dll) mimics Windows’ native CNG cryptography provider, while its namespace mirrors Microsoft’s APIs. Upon loading, the package executes a static constructor that silently launches a hidden proxy on localhost port 7152, relaying traffic to an attacker-controlled server.
Researchers at Socket.dev identified the campaign by tracing shared infrastructure across all four packages. DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ contained a byte-identical hardcoded authentication token, encoded with GZip compression and custom Base64 substitutions, confirming a single operator. VirusTotal analysis revealed that only 1 out of 72 security vendors detected the malicious NCrypt.dll, underscoring the effectiveness of its obfuscation.
Once active, DOMOAuth2_ and IRAOAuth2.0 harvest ASP.NET Identity data including user accounts, roles, and permissions and transmit it to the attacker via the local proxy. SimpleWriter_, disguised as a PDF conversion tool, writes attacker-controlled files to disk and executes hidden processes, extending the compromise beyond the developer’s workstation to production applications.
The attack leverages JIT compiler hijacking, where NCryptYo replaces the .NET runtime’s just-in-time compilation process with its own hook. Malicious code decrypts only at execution, evading static analysis. The DLL is protected by .NET Reactor obfuscation, featuring a 14-day expiry timer and anti-debugging measures. Embedded within are five encrypted resources, including a 126 KB payload that establishes the proxy tunnel.
The campaign highlights the risks of obfuscated .NET malware and the challenges of detecting supply chain threats in development environments.
Source: https://cybersecuritynews.com/malicious-nuget-packages-attacking/
NuGet TPRM report: https://www.rankiteo.com/company/socketinc
Socket.dev TPRM report: https://www.rankiteo.com/company/socketinc
"id": "soc1771957766",
"linkid": "socketinc",
"type": "Cyber Attack",
"date": "8/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Software Development',
'type': 'Developers, ASP.NET Applications'}],
'attack_vector': 'Malicious NuGet Packages (Typosquatting)',
'data_breach': {'data_encryption': 'Yes (malicious payload decrypted at '
'runtime)',
'data_exfiltration': 'Yes (via local proxy to '
'attacker-controlled server)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': 'ASP.NET Identity data (user '
'accounts, roles, permissions)'},
'date_detected': '2024-08-21',
'description': 'A supply chain attack targeting ASP.NET developers has been '
'uncovered, involving four malicious NuGet packages designed '
'to steal credentials and deploy persistent backdoors in web '
'applications. The packages NCryptYo, DOMOAuth2_, IRAOAuth2.0, '
'and SimpleWriter_ were published between August 12 and 21, '
"2024, by a threat actor using the username 'hamzazaheer' and "
'have amassed over 4,500 downloads collectively.',
'impact': {'data_compromised': 'ASP.NET Identity data (user accounts, roles, '
'permissions), attacker-controlled files',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Persistent backdoors, unauthorized data '
'exfiltration, hidden process execution',
'systems_affected': 'Developer workstations, production ASP.NET '
'applications'},
'initial_access_broker': {'backdoors_established': 'Local proxy on port 7152, '
'JIT compiler hijacking',
'entry_point': 'Malicious NuGet packages '
'(typosquatting)',
'high_value_targets': 'ASP.NET Identity data, '
'production applications'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Risks of obfuscated .NET malware and challenges of '
'detecting supply chain threats in development '
'environments.',
'post_incident_analysis': {'root_causes': 'Typosquatting, obfuscated .NET '
'malware, JIT compiler hijacking, '
'lack of detection by security '
'vendors'},
'references': [{'source': 'Socket.dev'}, {'source': 'VirusTotal'}],
'response': {'third_party_assistance': 'Socket.dev'},
'threat_actor': 'hamzazaheer',
'title': 'Malicious NuGet Packages Target ASP.NET Developers in Supply Chain '
'Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'JIT compiler hijacking, .NET Reactor obfuscation, '
'static constructor execution'}