Security News > 2024 > July > 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.

The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the previous set that came to light in October 2023, software supply chain security firm ReversingLabs said.

The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT. All the identified packages have since been taken down.

The latest collection of packages is characterized by the use of a novel technique called IL weaving that makes it possible to inject malicious functionality to a legitimate Portable Executable.

This includes taking popular open-source packages like Guna.UI2.WinForms and patching it with the aforementioned method to create an imposter package that's named "Gսոa.UI3.Wіnfօrms," which uses homoglyphs to substitute the letters "u," "n," "i," and "o" with their equivalents "ս", "ո", "і". and "օ". "Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code that is used to extract sensitive data or provide attackers with control over IT assets," Zanki said.

"This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet."

News URL

https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.html