Beware of Malicious NuGet Packages Targeting .NET Developers

In a recent attack, the NuGet .NET package manager repository was targeted by cybercriminals who submitted malicious packages containing a PowerShell script that changed the system configuration to allow PowerShell scripts to be executed without restrictions. Since, the cybercriminals are on the loose, businesses in Chicago consider using Cyber security Services Chicago, just to be safe.

The script then fetched a secondary payload from a remote server, which was a Windows executable designed to steal cryptocurrency, extract and execute code from Electron archives, and drop a small updater executable that ensures the malware is always up-to-date.

The threat actors used Typosquatting to trick developers into downloading the malicious packages, with around 150,000 downloads racked up before the packages were removed from NuGet. The attackers also impersonated Microsoft software developers working on NuGet by creating fake profiles in the repository.

The malicious packages were designed to look like popular packages, with Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API being the top three downloaded packages. However, the download count could have been inflated with bots to make the packages appear more legitimate.

The security researchers at JFrog, who discovered the attack, identified 13 NuGet packages containing the same malicious payload. Most of these packages were impersonating popular packages. Some packages did not contain any direct malicious payload but defined other malicious packages as dependencies, which then contained the malicious script.

The threat actors abused a feature in older Visual Studio versions where scripts could be placed in the ‘tools’ directory of a NuGet package to have them executed automatically with no constraints on specific events.

Newer iterations of Visual Studio ignore run-on-install scripts, but they still honor the execution of scripts added with older versions, without displaying a warning during the installation of a NuGet package.

JFrog points out that these kinds of autorun mechanisms are a big reason why we can find thousands of malicious packages plaguing the NPM and PyPI ecosystems, as compared to the Go package ecosystem, for example, in which the client will not cause code to automatically run when a module is installed.

This attack is part of a broader malicious effort, with other attackers uploading more than 144,000 phishing-related packages on multiple open-source package repositories, including NPM, PyPi, and NuGet, as part of a large-scale campaign.

The payloads delivered in this attack have very low detection rates and will not be flagged as malicious by Defender, the built-in anti-malware component in the Microsoft Windows operating system.

How to Avoid These Attacks?

To safeguard against attacks like the one detailed in the article, it’s crucial to adhere to some essential guidelines:

  • Initiate the cybersecurity awareness programs within your company.
  • Keep your software and operating system updated regularly to address any known vulnerabilities.
  • Verify the authenticity of packages or dependencies before installing them, checking the package name, version, and publisher details to ensure that they match the expected values.
  • Use strong, unique passwords for each account and enable two-factor authentication to secure your accounts.
  • Be wary of typosquatting and pay close attention to package names’ spelling. Beware of packages that appear to mimic popular ones but have slight variations in their names or version numbers.
  • Use only trustworthy package managers such as NPM, PyPI, or NuGet and refrain from using packages from unverified or unfamiliar sources.
  • Establish monitoring systems to identify any suspicious activity and establish security measures to prevent unauthorized access.

By adhering to these best practices, you can reduce the risk of being a target of malicious attacks that aim to exploit software repositories and package managers. Moreover, if you have a business in Chicago, try using cybersecurity services Chicago to keep your business safe.

How to Avoid These Attacks


In conclusion, this attack highlights the importance of ensuring the cybersecurity awareness measures of package repositories and being cautious when downloading packages, especially those that are popular or seem too good to be true. It also emphasizes the need for developers to keep their software tools and packages updated to ensure that they are not vulnerable to attacks that exploit older versions.