Researchers Expose Malicious NuGet Packages with Delayed Sabotage

Researchers at Socket have uncovered a sophisticated campaign involving malicious NuGet packages that embed time-delayed sabotage code into seemingly legitimate .NET libraries. These packages, which were downloaded a total of 9,488 times before being disclosed, utilize hidden triggers to terminate host processes and, in a particularly alarming case, corrupt write operations in industrial control systems.

The malicious packages were published under the alias shanhai666 between 2023 and 2024. Each package offers legitimate functionality designed to establish trust among users and evade initial scrutiny. However, they contain approximately 20 lines of malicious code. The attacker exploits C# extension methods such as .Exec() for database commands and .BeginTran() for S7 PLC clients, ensuring that every database query or PLC operation implicitly runs the injected sabotage logic.

The sabotage routines are triggered by hardcoded or encrypted dates, with some activation set for as far away as 2027 or 2028. This long timeframe provides the attacker an extended opportunity to exploit victims before detection becomes possible.

Understanding the Threat of Sharp7Extend

Among the identified packages, Sharp7Extend stands out as the most dangerous. It features two distinct sabotage modes. The first mode activates a probabilistic process-kill on every PLC operation and remains active until June 6, 2028. The second mode introduces a deferred write-failure mechanism that silently returns failed results for up to 80% of write attempts after a grace period of 30–90 minutes. This behavior can corrupt PLC writes without generating obvious error messages, leading to actuator non-responses and failed safety engagements. Such effects can mimic intermittent hardware issues, making them harder to trace back to a deliberate attack.

Several factors contribute to the difficulty in detecting these malicious packages. While the bulk of the code is legitimate and functional, it passes normal testing and code reviews. The technique of typosquatting, such as the name switch from Sharp7 to Sharp7Extend, increases the likelihood of accidental installations in operational technology (OT) environments. Additionally, the inclusion of legitimate libraries helps to mask potential red flags during integration testing.

Strategies for Supply Chain Resilience

To defend against this ongoing NuGet campaign, immediate actions and long-term strategies are necessary. Organizations are advised to audit their dependencies urgently. This includes inventorying .NET packages and removing or replacing any identified malicious packages.

Maintaining dependency hygiene is crucial. Companies should enforce verified publisher metadata, deny names that are susceptible to typosquatting, and restrict package sources to approved registries. Integrating software bill of materials (SBOM) checks and static analysis within continuous integration and continuous delivery (CI/CD) pipelines can help flag time-based logic, unusual extension methods, or obfuscated trigger code.

It is also important to monitor for any probabilistic or time-based logic within dependencies. Alerts should be set for date-checks, randomized control flows, or any unusual use of Process.Kill() and extension methods.

In industrial environments, validating the integrity of industrial control systems (ICS) is paramount. This includes implementing write-verification for PLC commands, establishing baseline PLC success rates, and closely monitoring for sudden declines in write confirmations.

By adopting these practices, organizations can significantly strengthen their software supply chain and mitigate the risk of hidden malicious logic. This campaign illustrates how supply-chain attacks can weaponize trusted code and exploit time delays to achieve harmful outcomes while remaining undetected.