A set of nine malicious NuGet packages have been identified as capable of releasing time-delayed payloads to damage database operations and corrupt industrial control systems.
According to software supply chain security company Socket, the packages were published by a user named “shanhai666” in 2023 and 2024 and were designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times.
Security researcher Kush Pandya said, “The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures starting 30-90 minutes after installation, which affects safety-critical systems in manufacturing environments.”
The list of malicious packages is below –
- MyDbRepository (last updated on May 13, 2023)
- MCDbRepository (last updated on June 5, 2024)
- Sharp7Extend (Last Updated on August 14, 2024)
- SqlDbRepository (last updated on October 24, 2024)
- SqlRepository (last updated on October 25, 2024)
- SqlUnicornCoreTest (Last updated October 26, 2024)
- SqlUnicornCore (Last updated October 26, 2024)
- SqlUnicorn.Core (last updated on October 27, 2024)
- SqlLiteRepository (last updated on October 28, 2024)
Sockett said all nine rogue packages work as advertised, allowing threat actors to build trust among downstream developers, who can download them without realizing they contain a logic bomb planted in them that is about to explode in the future.
It was found that the threat actor has published a total of 12 packages, with the remaining three working as intended without any malicious functionality. All of them have been removed from NuGet. The company said Sharp7Extend is designed to target users of the legitimate Sharp7 library, which is a .NET implementation for communicating with Siemens S7 programmable logic controllers (PLCs).
While bundling Sharp7 into a NuGet package gives a false sense of security, it belies the fact that the library silently injects malicious code when an application performs a database query or PLC operation by exploiting C# extension methods.
“Extension methods allow developers to add new methods to existing types without modifying the original code – a powerful C# feature that threat actors weaponize to intercept,” Pandya explained. “Every time an application executes a database query or PLC operation, these extension methods execute automatically, checking the current date against trigger dates (hardcoded in most packages, encrypted configuration in Sharp7Extend).”
Once the trigger date passes, the malware terminates the entire application process with a 20% probability. In the case of Sharp7Extend, the malicious logic activates immediately after installation and continues until June 6, 2028, when the termination mechanism turns off automatically.
The package also includes a feature to interrupt write operations in the PLC 80% of the time after a random delay anywhere between 30 to 90 minutes. This also means that both triggers – random process termination and write failures – are triggered simultaneously after the grace period ends.
On the other hand, some SQL Server, PostgreSQL and SQLite implementations associated with other packages are set to trigger on August 8, 2027, (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).
“This sequential approach gives the threat actor a longer window to collect victims before the delayed-activation malware is triggered, while quickly disrupting industrial control systems,” Pandya said.
It is not currently known who is behind the supply chain attack, but Socket said that source code analysis and the choice of name “shanhai666” suggest it could potentially be the work of a threat actor of Chinese origin.
The company concluded, “This campaign demonstrates sophisticated techniques that are rarely employed in NuGet supply chain attacks.” “Developers who installed packages in 2024 may have moved on to other projects or companies by 2027-2028 when database malware is triggered, and a 20% probability of executing systematic attacks disguised as random crashes or hardware failures.”
“This makes incident response and forensic investigation nearly impossible, as organizations cannot trace the malware back to its introduction point, identify who installed the compromised dependencies, or establish a clear timeline of the compromise, effectively erasing the paper trail of the attack.”
