Malicious NuGet Packages Used to Target .NET Developers

A new attack targeting .NET developers with malicious packages loaded to the NuGet repository has recently been discovered, according to JFrog’s security researchers. NuGet, a package manager helping developers share and consume reusable code, has not seen too much malicious activity until now, apart from packages designed to spread phishing links. As part of the attack, typosquatting was used to trick developers into downloading the malicious packages, which contained code that triggered the download of a second-stage payload.

The payload, a Windows executable file, was designed to steal cryptocurrency, extract and execute code from Electron archives, and drop a small updater executable that ensures the malware is always up-to-date. The attackers abused a feature in older Visual Studio versions where scripts could be placed in the ‘tools’ directory of a NuGet package to have them executed automatically with no constraints on specific events. With roughly 150,000 downloads racked up before the packages were removed from NuGet, the operation was highly successful.

The security researchers identified 13 NuGet packages containing the same malicious payload, most of which were impersonating popular packages. The most popular of these had over 120,000 downloads at the time it was removed from the repository. In order to protect against such attacks, developers should ensure they are using the latest version of Visual Studio, which ignores run-on-install scripts and displays a warning during the installation of a NuGet package.

In conclusion, the attack targeting .NET developers with malicious packages loaded to the NuGet repository is a reminder of why open source repositories should be used with caution. The attack was highly successful, with roughly 150,000 downloads racked up before the packages were removed from NuGet. To protect against such attacks, developers should ensure they are using the latest version of Visual Studio, which ignores run-on-install scripts and displays a warning during the installation of a NuGet package.

Key Points:

• A new attack targeting .NET developers with malicious packages loaded to the NuGet repository has recently been discovered.
• As part of the attack, typosquatting was used to trick developers into downloading the malicious packages.
• The payload was designed to steal cryptocurrency, extract and execute code from Electron archives, and drop a small updater executable.
• The attackers abused a feature in older Visual Studio versions where scripts could be placed in the ‘tools’ directory of a NuGet package to have them executed automatically.
• To protect against such attacks, developers should ensure they are using the latest version of Visual Studio.