A new attack has been reported on the NuGet repository, which is aimed at infecting .NET developer systems with cryptocurrency stealer malware.
The attack, described as sophisticated and highly malicious, involved 13 rogue packages that were downloaded more than 160,000 times in the past month. The malware is designed to execute a PowerShell script upon installation, triggering a download of a second-stage payload that can be remotely executed. The packages were removed after the discovery by researchers at JFrog.
The malware incorporated within the packages functions as a dropper script and can be dynamically switched since it is retrieved from a command-and-control (C2) server.
Some packages did not embed a malicious payload directly, instead fetching it via another booby-trapped package as a dependency.
Furthermore, the connection to the C2 server occurs over HTTP, rendering it vulnerable to an adversary-in-the-middle (AiTM) attack.
The second-stage malware delivers several capabilities that include a crypto stealer and an auto-updater module that pings the C2 server for an updated version of the malware.
This marks the first-ever discovery of packages with malicious code on NuGet, although the platform has been found to contain vulnerabilities in the past and has been abused to propagate phishing links.
The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, to trick developers into downloading them. The findings highlight the need for caution when curating open-source components for use in builds and ensuring the software supply chain remains secure.
