Key Findings

• A set of nine malicious NuGet packages capable of dropping time-delayed payloads has been identified.

• The packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028.

• The packages were collectively downloaded 9,488 times.

• The most dangerous package, "Sharp7Extend," targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments.

• All nine rogue packages work as advertised, allowing the threat actors to build trust among downstream developers who may end up downloading them without realizing they come embedded with a logic bomb inside that's scheduled to detonate in the future.

Background

The threat actor has been found to publish a total of 12 packages, with the remaining three working as intended without any malicious functionality. All of the malicious packages have been removed from NuGet.

"Sharp7Extend," the company added, is designed to target users of the legitimate "Sharp7" library, a .NET implementation for communicating with Siemens S7 programmable logic controllers (PLCs). By bundling Sharp7 into the NuGet package, the threat actor lends it a false sense of security, while the library stealthily injects malicious code when an application performs a database query or PLC operation by exploiting C# extension methods.

Malicious Functionality

The extension methods allow the threat actor to intercept and execute malicious code each time an application executes a database query or PLC operation. The malware checks the current date against the hardcoded trigger dates (or encrypted configurations in the case of Sharp7Extend) and triggers the payload if the conditions are met.

Once a trigger date is passed, the malware terminates the entire application process with a 20% probability. In the case of Sharp7Extend, the malicious logic is activated immediately following installation and continues until June 6, 2028, when the termination mechanism stops by itself. The package also includes a feature to sabotage write operations to the PLC 80% of the time after a randomized delay of anywhere between 30 to 90 minutes.

Other packages, such as MCDbRepository, SqlUnicornCoreTest, and SqlUnicornCore, are set to trigger on August 8, 2027, and November 29, 2028, respectively, targeting SQL Server, PostgreSQL, and SQLite implementations.

Implications and Challenges

This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems.

The sophisticated techniques used in this campaign, such as the combination of immediate and delayed attacks, the probabilistic execution to disguise the systematic nature of the attacks, and the exploitation of C# extension methods, make incident response and forensic investigation nearly impossible. Organizations cannot trace the malware back to its introduction point, identify who installed the compromised dependency, or establish a clear timeline of compromise, effectively erasing the attack's paper trail.

Conclusion

The discovery of this supply chain attack demonstrates the need for robust security measures in software development and distribution, as well as the importance of vigilance from developers and organizations in identifying and mitigating such threats.

Sources

• https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

• https://www.reddit.com/r/SecOpsDaily/comments/1oqtsw5/hidden_logic_bombs_in_malwarelaced_nuget_packages/

• https://medium.com/@costigermano/hidden-logic-bombs-in-malware-laced-nuget-packages-set-to-detonate-years-after-installation-880e5155f09b