A sophisticated software supply chain attack has been uncovered, involving nine malicious NuGet packages designed to lie dormant for years before activating their destructive payloads. These “logic bombs,” set to trigger in 2027 and 2028, aim to sabotage databases and corrupt critical industrial control systems, posing a long-term threat to organizations.
A Patient and Stealthy Campaign
Discovered by software supply chain security firm Socket, the packages were published throughout 2023 and 2024 by a user named “shanhai666.” The campaign was remarkably patient, with the packages collectively downloaded nearly 9,500 times. Their malicious code is programmed to remain inactive until specific future dates, making detection exceptionally difficult.
All nine packages functioned as advertised, a deliberate tactic to build trust among developers who would integrate them into projects without suspecting a hidden time bomb. The threat actor published a total of 12 packages, with three being completely benign, further obscuring their malicious intent.
Targeting Industrial Control Systems
The most dangerous package identified is Sharp7Extend, which specifically targets industrial Programmable Logic Controllers (PLCs) using the legitimate Sharp7 library for Siemens S7 systems.
As explained by Socket security researcher Kush Pandya, “Sharp7Extend targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments.”
This package bundles the real Sharp7 library but weaponizes a powerful C# feature called extension methods to secretly inject its malicious logic during normal PLC operations.
The Mechanics of the Deferred Attack
The malware’s activation is tied to a clever abuse of C# extension methods. These methods automatically execute whenever an application performs a database query or PLC operation. In the background, they check the current date against hardcoded trigger dates.
- For most packages, the trigger dates are August 8, 2027, or November 29, 2028.
- For Sharp7Extend, the sabotage begins immediately but is designed to continue until June 6, 2028.
Once activated, the malware terminates the entire application process with a 20% probability. Sharp7Extend adds another layer of sabotage by causing write operations to the PLC to fail 80% of the time after a random 30–90 minute delay.
Strategic Sabotage and Evasion
This staggered and probabilistic approach is highly strategic. The multi-year delay ensures developers who installed the packages will likely have moved on, erasing institutional memory. The 20% failure rate makes the sabotage appear as random crashes or hardware glitches, not a coordinated cyberattack.
Socket concluded, “This makes incident response and forensic investigation nearly impossible… effectively erasing the attack’s paper trail.” While the actor’s identity is unconfirmed, code analysis and the “shanhai666” username suggest a possible Chinese origin.
