https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads
Security researchers have uncovered a concerning series of malicious NuGet packages that contain harmful code designed to disrupt and sabotage various applications and systems, including database implementations and Siemens industrial control devices.
The packages, published under the developer name “shanhai666,” were found to include legitimate functionality alongside a malicious payload that is programmed to activate at a future date, ranging from August 2027 to November 2028. This “time bomb” mechanism is triggered based on a probabilistic condition, which can lead to immediate termination of the host process or delayed corruption of critical PLC write operations.
The researchers at Socket identified nine such malicious packages, all of which targeted the three major .NET database providers – SQL Server, PostgreSQL, and SQLite. The most dangerous package, Sharp7Extend, impersonated a legitimate library for communicating with Siemens programmable logic controllers (PLCs), potentially causing significant disruption to industrial control systems.
With the packages having nearly reached 9,500 downloads before being taken down, the researchers warn that organisations must immediately audit their assets for the presence of these malicious packages and assume compromise if any are found. For industrial environments using the Sharp7Extend package, they recommend implementing strict write-verification for critical PLC operations and closely monitoring safety system logs for any anomalies.