TLDR
Nine NuGet packages contain hidden logic bombs. They will activate in 2027‑2028 to disrupt databases and industrial PLCs.
What happened
Security researchers discovered nine malicious NuGet packages on the public feed. The packages were published by a user named shanhai666. The feed shows almost 9,500 total downloads. Each package contains a concealed payload. The payload is a logic bomb that waits for a specific calendar date. The trigger dates are set for 2027 and 2028. The bombs are designed to fire without any external command. The code is obfuscated to avoid static detection. The most dangerous package is called Sharp7Extend. Sharp7Extend targets Siemens and Allen‑Bradley PLCs. It can terminate a running process instantly. It can also corrupt write operations after a delay. Other packages focus on SQL Server and MySQL libraries. They aim to corrupt transaction logs. The malicious code is hidden behind legitimate functionality. The packages claim to provide useful extensions for .NET developers. The readme files contain normal usage examples. The binaries are signed with a self‑generated certificate. The certificate is not trusted by any major root store. The attack chain begins when a developer adds the package to a project. The package is then compiled into the final application. The logic bomb remains dormant during normal testing. It only activates when the system clock matches the trigger date. The date checks are hard‑coded in the IL. The code checks both the year and the day of month. If the condition is true, the bomb executes its payload. The payload for database packages drops tables and disables logins. The payload for PLC packages sends a stop command to the controller. It also overwrites configuration registers. The result is a sudden halt of the production line. The attack is silent until the trigger date arrives. Because the code is dormant, traditional AV tools miss it. The researchers traced the package upload time to early 2024. The user account used for publishing has no public profile. The account was created just weeks before the first upload. The packages were removed from the feed after discovery. However, many developers may have already cached them. The threat actor’s identity remains unknown. The sophistication suggests a state‑linked group. Some analysts suspect a Chinese cyber‑crime syndicate. The logic bomb technique is rare in open‑source supply chain attacks. It shows a new level of patience and planning. The researchers shared indicators of compromise with the community. They also provided a timeline of the observed activity. The incident highlights the danger of trusting unsigned packages. It also demonstrates how time‑based triggers can evade detection for years.
Leave a Reply