cybersecurity researchers have identified a new campaign involving four malicious packages on the NuGet repository, a key software library for .NET developers. The packages specifically target developers building web applications with ASP.NET, a popular Microsoft framework. According to findings published by software supply chain security firm Socket, the packages are engineered to steal sensitive authentication and authorization data directly from applications.
Scope and Impact of the Attack
The malicious code infiltrates applications to exfiltrate ASP.NET Identity data. This includes comprehensive user account information, role assignments, and permission mappings. Beyond data theft, the packages also manipulate authorization rules within the compromised applications. This manipulation creates persistent backdoors, allowing attackers to maintain long-term, unauthorized access even if the initial malicious package is removed.
This incident highlights a significant threat to software supply chain security. NuGet is the primary package manager for the .NET ecosystem, used by millions of developers worldwide. A successful attack via this vector can compromise countless downstream applications and their users. The discovery follows a pattern of increasing software supply chain attacks targeting open-source repositories like npm and PyPI.
Technical Execution and Discovery
Socket’s researchers detected the packages through automated analysis designed to spot suspicious behavior. The malicious code was obfuscated to evade basic detection. Once installed into a project, the packages execute code that searches for and extracts specific configuration files and databases related to ASP.NET Identity. The stolen data is then transmitted to an external server controlled by the attackers.
The packages masqueraded as legitimate utilities, using names that would appear useful to developers working on authentication systems. This technique, known as typosquatting or dependency confusion, relies on developers mistakenly installing the malicious package instead of a genuine one. The campaign’s sophistication suggests a focused effort to infiltrate professional development environments.
Broader Ecosystem Concerns
This campaign coincides with other recent threats in the open-source ecosystem. In a separate but related event, a popular package on the npm registry, used by JavaScript developers, was found to be dropping malware. That package, which had millions of weekly downloads, was caught executing a script that harvested sensitive user data. These parallel incidents underscore the pervasive and cross-platform nature of modern software supply chain risks.
Security experts note that attackers are increasingly targeting foundational development tools. The goal is to achieve a wide impact with a single, strategically placed malicious component. For organizations, this means a breach can originate not from a direct hack of their servers, but from a compromised tool used during the software development process.
Response and Mitigation Steps
Upon discovery, Socket reported the malicious NuGet packages to Microsoft, which operates the NuGet gallery. Microsoft has since removed the identified packages from the repository. The company has also initiated scans to identify any other potentially harmful packages using similar tactics.
Security analysts recommend that development teams using ASP.NET immediately audit their project dependencies. They should verify that all NuGet packages, particularly those related to security or identity management, are from official and verified sources. Implementing automated software composition analysis tools can help detect anomalies in package behavior before they are integrated into production code.
Looking ahead, the cybersecurity community anticipates continued vigilance from repository maintainers. Microsoft is expected to enhance its automated security scanning for NuGet packages. Furthermore, industry-wide initiatives for better package signing and developer identity verification are likely to gain urgency. Developers and organizations worldwide are advised to treat software dependencies as critical attack vectors requiring formal security review.
Source: Socket Security Research
