ALL POSTS

Key Findings Nine NuGet packages published under the alias "shanhai666" are designed to execute destructive, time-delayed payloads against database applications and industrial control systems. The packages provide nearly all of their advertised functionality, blending genuine code with hidden sabotage to build trust and pass code reviews. The malware exploits C# extension methods to transparently inject malicious logic into database and PLC operations, including methods to te

Key Findings A set of nine malicious NuGet packages capable of dropping time-delayed payloads has been identified. The packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. The most dangerous package, "Sharp7Extend," targets industrial PLCs with dual sabotage mechanisms: immediate random process terminatio