May 2, 2023 HAWKEYE

Rogue NuGet Packages – The Rise of Supply Chain Risks

NuGet is the package manager for .NET. It enables developers to create, share, and consume useful .NET libraries. NuGet client tools provide the ability to produce and consume these libraries as “packages”.


While attacks on open-source repositories are not new, NuGet has not experienced much malicious activity until now, with the exception of packages designed to distribute phishing URLs.

A sophisticated attack campaign targeting .NET developers has been found using malicious NuGet packages submitted in the public repository. These bogus packages spoof actual packages in order to entice developers and deliver crypto stealers. However, this incident aligns NuGet with NPM and PyPI repositories, which are frequently targeted by cybercriminals: malicious packages submitted to the repository contained code that triggered the download of a second-stage payload.

Working of Attack

It begins by gaining access to the victims’ crypto wallets using Discord webhooks. It then extracts and executes malicious code from Electron archives, allowing it to operate undetected. Finally, the malware maintains its efficacy by constantly upgrading itself via numerous queries to the attacker’s command-and-control server.

Typosquatting is being used by attackers to mimic numerous legitimate software programs. Surprisingly, three of these harmful files have been downloaded over 150,000 times in less than a month.

According to the Jfrog researchers, a huge number of downloads could imply a large number of developers whose computers were stolen, but it is also plausible that hackers utilized bots to artificially enhance the “popularity” of their packages in NuGet.

It is also observed that the attackers attempted to imitate Microsoft developers by using typosquatting when constructing their NuGet profiles. The packages utilized by the hackers are listed below:

Package Name Owner Downloads Published Real Package
Coinbase Core BinanceOfficial 121 900 2023-02-22 Coinbase
Anarchy.Wrapper.Net Official Development Team 30 400 2023-02-21 Anarchy Wrapper
DiscordRichPresence.API Official Development Team 14 100 2023-02-21 DiscordRichPresence
Avalon-Net-Core joeIverhagen 1200 2023-01-03 AvalonEdit
Manage.Carasel.Net Official Development Team 559 2023-02-21 N/A BinanceOfficial 246 2023-02-22 Microsoft.AspNetCore
Sys.Forms.26 joeIverhagen 205 2023-01-03 System.Windows.Forms
Azetap.API DevNuget 153 2023-02-27 N/A
AvalonNetCore Rahul Mohammad 67 2023-01-04 AvalonEdit
Json.Manager.Core BestDeveIopers 46 2023-03-12 Standard .NET name
Managed.Windows.Core mahamadrohu 37 2023-01-05 Standard .NET name
Nexzor.Graphical.Designer.Core Impala 36 2023-03-12 N/A
Azeta.API Soubata 28 2023-02-24 N/A

Payloads used in this cybercriminal operation had a low detection rate, and the defender was unable to detect these tools. As a result, just including an anti-malware component in the Microsoft Windows operating system is insufficient for identifying such attacks.

The 13 rogue packages, which had been downloaded more than 160,000 times in the previous month, have since been removed.

“The packages contained a PowerShell script ((init.ps1) that would run upon installation and initiate the download of a second stage payload that could be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli explained. This initial script also configures the compromised machine to allow unrestricted PowerShell command execution, allowing the malware to function undetected.

Following that, the malware downloads and executes a second-stage payload, a Windows executable described as a “fully custom executable payload” by JFrog. In contrast to other attackers who normally use open-source hacking tools and commodity malware, this group is taking an unusual approach by developing their own custom payloads.

The payload uses a very rare obfuscation technique dubbed ‘.NET AoT compilation,’ which is a lot more covert than utilizing ‘off the shelf’ obfuscators while still making the binary difficult to reverse engineer. .NET AoT compilation is an optimization approach that allows apps to be compiled to native code ahead of time. Native AOT apps feature a faster startup time, smaller memory footprints, and can run on machines that do not have the .NET runtime installed.

The two-stage attack culminates in the implementation of Impala Stealer, a.NET-based persistent backdoor capable of getting unauthorized access to users’ cryptocurrency accounts.

The use of Coinbase and Discord highlights the persistent reliance on typosquatting strategies, which involve giving false package names that are similar to actual packages in order to deceive developers into downloading them.

Defending against NuGet Attacks

  • The first responsibility of a developer should be to avoid importing or installing packages that include typos.
  • Several packages replicate the names of well-known and respectable packages, hoping that a programmer will mistakenly add them to their project or list them as a requirement.
  • Users can also prevent potentially hazardous packages from being installed by carefully reviewing the installation and initialization scripts for any suspicious code or activity.
  • When you run scripts, keep a look out for those that will retrieve and execute resources from external sources.
  • When downloading the package locally, be sure no scripts or binary files are accidentally executed.
  • A relatively new package’s low download count may signal a risk.


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.