Malicious NuGet Packages Target Databases and Industrial Systems

Published Date: November 12, 2025
Category: ShadowOpsIntel
Share:

In November 2025, security researchers from Socket uncovered a highly sophisticated supply chain attack involving nine malicious NuGet packages published under the alias shanhai666. These packages, disguised as legitimate .NET libraries, contained time-delayed and probabilistic destructive payloads designed to crash applications or silently corrupt industrial control systems (ICS). With nearly 9,500 downloads, the operation poses significant risk to enterprise, industrial, and critical infrastructure environments.

Severity: High

Threat Details

  1. Threat Actor and Distribution
    • Alias: shanhai666
    • Technique: Typosquatting legitimate .NET libraries, such as Sharp7
    • Language/Origin Clues: Chinese-language strings in code and metadata
    • Packages Published: 12 total (9 malicious, 3 clean to build trust)
  2. Destructive Payloads
    • Malicious logic is inserted via C# extension methods, hiding in plain sight within otherwise functional code.
    • Method Injection: .Exec() for DB ops, .BeginTran() for PLCs
    • Trigger Mechanism:
    Hardcoded trigger dates (e.g., Aug 8, 2027; Nov 29, 2028)
    Probabilistic logic (20% chance to kill process on each execution)
    Sharp7Extend activates immediately on install, causing silent failures.
  3. Most Dangerous Package: Sharp7Extend
    • Target: Siemens S7 PLCs in ICS environments
    • Sabotage Mechanisms:
    Immediate Process Termination: Random 20% chance to crash system per operation
    Silent Write Failures: After 30–90 min post-installation, 80% of write operations silently fail, risking unresponsive actuators and broken safety mechanisms.
  4. Attack Characteristics
    • Time-Delayed Activation: Delays range from 30 minutes to 3 years
    • Probabilistic Execution: Random crashes make detection and forensics difficult
    • Dual Mechanisms: Combines random crashes + silent corruption
    • Code Camouflage: 99% of code is functional to pass reviews and testing
    • Forged Metadata: Fake author names & malformed signatures to evade automated scans
    • Targeted Systems: .NET apps using SQL Server, PostgreSQL, SQLite, and PLCs (via Sharp7)

Malicious Packages List

Malicious Package NameTarget PlatformSummary of Malicious Behavior
Sharp7ExtendSiemens S7 PLCsImmediate random process termination + delayed silent write failure (20% success rate)
SqlUnicornCoreSQL ServerProbabilistic kill (20%) on DB query after Nov 29, 2028
SqlUnicornCoreTestPostgreSQLSame pattern as above; triggers post-Nov 29, 2028
SqlLiteRepositorySQLiteProcess kill logic after Nov 29, 2028
SqlRepositorySQL ServerProbabilistic process termination on DB queries
MyDbRepositorySQL ServerSame logic; obfuscated under legitimate functionality
MCDbRepositorySQL ServerTriggered sabotage post-August 8, 2027
SqlDbRepositorySQL ServerContains .Exec() extension method with time-triggered termination logic
SqlUnicorn.CoreSQL Server (General)Same as others; extension-based process killing mechanism

Mitre Att&Ck

TacticTechniqueID
Initial AccessSupply Chain Compromise – Software Supply ChainT1195.002
Defense EvasionMasquerading – Match Legitimate Name or LocationT1036.005
ImpactService Stop (via random process termination)T1489
ImpactData Manipulation – Stored Data ManipulationT1565.001

Recommendations

  1. Organizations must audit all dependencies for the nine malicious packages listed above and assume any system with these packages is fully compromised.
  2. Review all PLC logs and verify operation outcomes. Assume PLC data corruption has occurred if Sharp7Extend was used.
  3. Validate NuGet packages beyond alias (shanhai666 used multiple fake authors); require signed, verified packages.
  4. Use EDR/XDR tools to alert on suspicious calls like Process.GetCurrentProcess().Kill() inside app binaries.
  5. Conduct training on identifying malicious packages, typosquatting, & time-delayed logic.
  6. Audit all PLC write operations for data integrity issues. Review safety system logs for missed commands or failed activations. Establish baseline monitoring for PLC communication success rates.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.