Cybersecurity analysts have uncovered four harmful NuGet packages designed to infiltrate ASP.NET development environments and secretly extract sensitive application data. The campaign, identified by Socket, focused on compromising applications during development rather than directly attacking developers’ machines.
The rogue packages were uploaded to the official NuGet repository between August 12 and 21, 2024, by a user operating under the name hamzazaheer. Although they were later removed following responsible disclosure, they collectively recorded more than 4,500 downloads before being taken down.
Malicious Package Names and Capabilities
The four identified packages include:
- NCryptYo
- DOMOAuth2_
- IRAOAuth2.0
- SimpleWriter_
Security researchers determined that all four shared identical build environments, strongly suggesting they were created by a single threat actor.
Stage One Dropper and Proxy Setup
NCryptYo functioned as the initial infection vector. It acted as a stage one dropper that installed a local proxy on localhost port 7152. This proxy relayed communication between infected applications and an attacker controlled command and control server.
Notably, NCryptYo attempted to impersonate the legitimate NCrypto package, increasing the likelihood of accidental installation.
When loaded, the assembly triggered a static constructor that installed JIT compiler hooks. These hooks decrypted embedded payloads and launched a second stage binary that enabled communication with external infrastructure.
ASP.NET Identity Data Theft and Persistent Backdoors
Once the local proxy was active, DOMOAuth2_ and IRAOAuth2.0 began extracting ASP.NET Identity data. This included:
- User account details
- Role assignments
- Permission mappings
The stolen information was transmitted through the local proxy to the remote C2 server. In response, the server issued manipulated authorization rules, which were processed by the application itself.
This mechanism allowed attackers to:
- Grant themselves administrator privileges
- Alter access control policies
- Disable security validations
The result was a persistent backdoor embedded directly within deployed production environments.
SimpleWriter_ contributed additional capabilities, including unrestricted file writing and hidden process execution, while posing as a PDF conversion utility.
Researchers emphasized that the ultimate goal was long term control of production applications, not the compromise of individual developer systems.
Malicious npm Package Infects Windows, Linux, and macOS
In a separate but related supply chain threat, Tenable disclosed a malicious npm package named ambar-src that accumulated over 50,000 downloads before being removed from the registry. The package was published on February 13, 2026.
The malware exploited npm’s preinstall script hook to execute malicious code during installation.
Cross Platform Payload Delivery
The attack logic differed by operating system:
- Windows
Downloaded msinit.exe containing encrypted shellcode that was decrypted and executed in memory. - Linux
Retrieved a bash script that downloaded an ELF binary functioning as an SSH based reverse shell. - macOS
Executed a script using osascript to deploy Apfell, a JavaScript for Automation agent associated with the Mythic framework. Apfell can capture screenshots, extract Google Chrome data, and collect system credentials.
To reduce suspicion, exfiltrated data was sent to infrastructure hosted on Yandex Cloud domains, blending malicious traffic with legitimate services.
Security analysts assess ambar-src as an evolved version of another rogue npm package previously flagged for deploying Mythic agents on Linux and macOS systems.
Full System Compromise Warning
Experts warn that any system where the malicious npm package was installed should be considered fully compromised. Removing the package alone does not guarantee elimination of all secondary payloads or backdoors.
The dual disclosures highlight the growing threat posed by software supply chain attacks targeting developers. By inserting malicious dependencies into trusted repositories, threat actors can quietly infiltrate production systems at scale.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
