Ethical Hacking News
Nine malicious NuGet packages have been found that can deploy time-delayed payloads to disrupt databases and industrial control systems. The packages target SQL Server, PostgreSQL, SQLite, and industrial PLCs via a typosquat called Sharp7Extend, which bundles the genuine Sharp7 library alongside concealed malware to evade detection.
Nine malicious NuGet packages were discovered to pose a significant threat to databases and industrial control systems.The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms.The attack is believed to have Chinese origins, despite the attacker's identity remaining unknown.The malicious packages use time-delayed payloads that can disrupt databases and industrial systems.The attack has severe consequences in manufacturing environments where safety-critical systems are dependent on smooth operation.
Nine NuGet packages, published between 2023 and 2024 by "shanhai666", have been discovered to be malicious, posing a significant threat to databases and industrial control systems. These packages were downloaded over 9,488 times before they were identified as part of a sophisticated supply chain attack.
According to Socket's Threat Research Team, the most dangerous package is Sharp7Extend, which targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation. This attack can have severe consequences, particularly in manufacturing environments where safety-critical systems are dependent on the smooth operation of these industrial control systems.
The malicious packages use the alias "shanhai666", but metadata varies to hide connections. Chinese-language comments and malformed signatures suggest a Chinese origin and deliberate evasion of security detection. The attacker's identity remains unknown, but code analysis and the alias "shanhai666" point towards a potential Chinese origin.
These nine NuGet packages pose a significant threat to various database providers used in .NET applications, including SQL Server, PostgreSQL, SQLite, and industrial control systems through the Sharp7Extend package. The malicious packages deploy time-delayed payloads that can disrupt databases and industrial systems, with triggers set for future dates (2027-2028) or immediate activation.
The Sharp7Extend package starts causing problems immediately and continues until June 2028. This package also silently corrupts data: after an initial 30-90 minute grace period, 80% of write operations fail without any error messages, affecting actuators, setpoints, safety systems, and production controls. Combined, these two mechanisms cause random crashes and hidden data corruption, making it very hard to detect the attack.
The researchers noticed that all packages use the alias "shanhai666", but metadata varies to hide connections. Chinese-language comments and malformed signatures suggest a Chinese origin and deliberate evasion of security detection.
"This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks," concludes the report. "The time gap between installation and activation, up to three years for database packages, 30-90 minutes for Sharp7Extend's write sabotage, immediate for Sharp7Extend's process termination makes attribution nearly impossible."
In response to this threat, Socket shared its findings with NuGet on November 5, 2025; the platform confirmed an investigation and removal efforts.
Related Information:
https://www.ethicalhackingnews.com/articles/Nine-NuGet-Packages-Disrupt-DBs-and-Industrial-Systems-with-Time-Delayed-Payloads-A-Sophisticated-Supply-Chain-Attack-ehn.shtml
https://securityaffairs.com/184383/malware/nine-nuget-packages-disrupt-dbs-and-industrial-systems-with-time-delayed-payloads.html
Published: Mon Nov 10 03:29:32 2025 by llama3.2 3B Q4_K_M
