A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.
According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named "shanhai666" and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times.
"The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said.
The list of malicious packages is below -
- MyDbRepository (Last updated on May 13, 2023)
- MCDbRepository (Last updated on June 5, 2024)
- Sharp7Extend (Last updated on August 14, 2024)
- SqlDbRepository (Last updated on October 24, 2024)
- SqlRepository (Last updated on October 25, 2024)
- SqlUnicornCoreTest (Last updated on October 26, 2024)
- SqlUnicornCore (Last updated on October 26, 2024)
- SqlUnicorn.Core (Last updated on October 27, 2024)
- SqlLiteRepository (Last updated on October 28, 2024)
Socket said all nine rogue packages work as advertised, allowing the threat actors to build trust among downstream developers who may end up downloading them without realizing they come embedded with a logic bomb inside that's scheduled to detonate in the future.
The threat actor has been found to publish a total of 12 packages, with the remaining three working as intended without any malicious functionality. All of them have been removed from NuGet. Sharp7Extend, the company added, is designed to target users of the legitimate Sharp7 library, a .NET implementation for communicating with Siemens S7 programmable logic controllers (PLCs).
While bundling Sharp7 into the NuGet package lends it a false sense of security, it belies the fact that the library stealthily injects malicious code when an application performs a database query or PLC operation by exploiting C# extension methods.
"Extension methods allow developers to add new methods to existing types without modifying the original code – a powerful C# feature that the threat actor weaponizes for interception," Pandya explained. "Each time an application executes a database query or PLC operation, these extension methods automatically execute, checking the current date against trigger dates (hardcoded in most packages, encrypted configuration in Sharp7Extend)."
Once a trigger date is passed, the malware terminates the entire application process with a 20% probability. In the case of Sharp7Extend, the malicious logic is activated immediately following installation and continues until June 6, 2028, when the termination mechanism stops by itself.
The package also includes a feature to sabotage write operations to the PLC 80% of the time after a randomized delay of anywhere between 30 to 90 minutes. This also means that both the triggers – the random process terminations and write failures – are operational in tandem once the grace period elapses.
Certain SQL Server, PostgreSQL, and SQLite implementations associated with other packages, on the other hand, are set to trigger on August 8, 2027, (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).
"This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems," Pandya said.
It's currently not known who is behind the supply chain attack, but Socket said source code analysis and the choice of the name "shanhai666" suggest that it may be the work of a threat actor, possibly of Chinese origin.
"This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks," the company concluded. "Developers who installed packages in 2024 will have moved to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution disguises systematic attacks as random crashes or hardware failures."
"This makes incident response and forensic investigation nearly impossible, organizations cannot trace the malware back to its introduction point, identify who installed the compromised dependency, or establish a clear timeline of compromise, effectively erasing the attack's paper trail."
