Cybersecurity researchers identified four malicious NuGet packages targeting ASP.NET developers to steal sensitive data and create backdoors. The packages, published in August 2024 and downloaded over 4,500 times, exfiltrate ASP.NET Identity data and manipulate authorization rules. The campaign aims to compromise the applications built by developers, allowing threat actors persistent access to production systems. In a related incident, a malicious npm package named 'ambar-src' was also disclosed, having been downloaded over 50,000 times before removal.
Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.
The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
The names of the packages are listed below -
- NCryptYo
- DOMOAuth2_
- IRAOAuth2.0
- SimpleWriter_
The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.
According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It's worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.
DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility. An analysis of package metadata has revealed identical build environments, indicating that the campaign is the work of a single threat actor.
"NCryptYo is a stage-1 execution-on-load dropper," security researcher Kush Pandya said. "When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary - a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker's external C2 server, whose address is resolved dynamically at runtime."
Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin transmitting the ASP.NET Identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are then processed by the application to create a persistent backdoor by granting themselves admin roles, modifying access controls, or disabling security checks. SimpleWriter_, for its part, writes threat actor-controlled content to disk and executes the dropped binary with hidden windows.
It's not exactly clear how users are tricked into downloading these packages, as the attack chain kicks in only after all four of them are installed.
"The campaign's objective is not to compromise the developer's machine directly, but to compromise the applications they build," Pandya explained. "By controlling the authorization layer during development, the threat actor gains access to deployed production applications."
"When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production, continuously exfiltrating permission data and accepting modified authorization rules. The threat actor or a buyer can then grant themselves admin-level access to any deployed instance."
The disclosure comes as Tenable disclosed details of a malicious npm package named ambar-src that amassed more than 50,000 downloads before it was removed from the JavaScript registry. It was uploaded to npm on February 13, 2026.
The package makes use of npm's preinstall script hook to trigger the execution of malicious code contained within index.js during its installation. The malware is designed to run a one-liner command that obtains different payloads from the domain "x-ya[.]ru" based on the operating system -
- On Windows, it downloads and executes a file called msinit.exe containing encrypted shellcode, which is decoded and loaded into memory.
- On Linux, it fetches a bash script and executes it. The bash script then retrieves another payload from the same server, an ELF binary that works as an SSH-based reverse shell client.
- On macOS, it fetches another script that uses osascript to run JavaScript responsible for dropping Apfell, a JavaScript for Automation (JXA) agent part of the Mythic C2 framework that can conduct reconnaissance, collect screenshots, steal data from Google Chrome, and capture system passwords by displaying a fake prompt.
"It employs multiple techniques to evade detection, and drops open-source malware with advanced capabilities, targeting developers on Windows, Linux, and macOS hosts," the company said.
Once the data is collected, it's exfiltrated to the attacker to a Yandex Cloud domain in an effort to blend in with legitimate traffic and take advantage of the fact that trusted services are less likely to be blocked within corporate networks.
Ambar-src is assessed to be a more mature variant of eslint-verify-plugin, another rogue npm package that was recently flagged by JFrog as dropping Mythic agents Poseidon and Apfell on Linux and macOS systems.
"If this package is installed or running on a computer, that system must be considered fully compromised," Tenable said. "While the package should be removed, please be aware that because an external entity may have gained full control of the computer, removing the package does not guarantee the elimination of all resulting malicious software."
Meridiano
