In November 2025, security researchers from Socket uncovered a highly sophisticated supply chain attack involving nine malicious NuGet packages published under the alias shanhai666. These packages, disguised as legitimate .NET libraries, contained time-delayed and probabilistic destructive payloads designed to crash applications or silently corrupt industrial control systems (ICS). With nearly 9,500 downloads, the operation poses significant risk to enterprise, industrial, and critical infrastructure environments.
Severity: High
Threat Details
- Threat Actor and Distribution
• Alias: shanhai666
• Technique: Typosquatting legitimate .NET libraries, such as Sharp7
• Language/Origin Clues: Chinese-language strings in code and metadata
• Packages Published: 12 total (9 malicious, 3 clean to build trust) - Destructive Payloads
• Malicious logic is inserted via C# extension methods, hiding in plain sight within otherwise functional code.
• Method Injection: .Exec() for DB ops, .BeginTran() for PLCs
• Trigger Mechanism:
Hardcoded trigger dates (e.g., Aug 8, 2027; Nov 29, 2028)
Probabilistic logic (20% chance to kill process on each execution)
Sharp7Extend activates immediately on install, causing silent failures. - Most Dangerous Package: Sharp7Extend
• Target: Siemens S7 PLCs in ICS environments
• Sabotage Mechanisms:
Immediate Process Termination: Random 20% chance to crash system per operation
Silent Write Failures: After 30–90 min post-installation, 80% of write operations silently fail, risking unresponsive actuators and broken safety mechanisms. - Attack Characteristics
• Time-Delayed Activation: Delays range from 30 minutes to 3 years
• Probabilistic Execution: Random crashes make detection and forensics difficult
• Dual Mechanisms: Combines random crashes + silent corruption
• Code Camouflage: 99% of code is functional to pass reviews and testing
• Forged Metadata: Fake author names & malformed signatures to evade automated scans
• Targeted Systems: .NET apps using SQL Server, PostgreSQL, SQLite, and PLCs (via Sharp7)
Malicious Packages List
| Malicious Package Name | Target Platform | Summary of Malicious Behavior |
| Sharp7Extend | Siemens S7 PLCs | Immediate random process termination + delayed silent write failure (20% success rate) |
| SqlUnicornCore | SQL Server | Probabilistic kill (20%) on DB query after Nov 29, 2028 |
| SqlUnicornCoreTest | PostgreSQL | Same pattern as above; triggers post-Nov 29, 2028 |
| SqlLiteRepository | SQLite | Process kill logic after Nov 29, 2028 |
| SqlRepository | SQL Server | Probabilistic process termination on DB queries |
| MyDbRepository | SQL Server | Same logic; obfuscated under legitimate functionality |
| MCDbRepository | SQL Server | Triggered sabotage post-August 8, 2027 |
| SqlDbRepository | SQL Server | Contains .Exec() extension method with time-triggered termination logic |
| SqlUnicorn.Core | SQL Server (General) | Same as others; extension-based process killing mechanism |
Mitre Att&Ck
| Tactic | Technique | ID |
| Initial Access | Supply Chain Compromise – Software Supply Chain | T1195.002 |
| Defense Evasion | Masquerading – Match Legitimate Name or Location | T1036.005 |
| Impact | Service Stop (via random process termination) | T1489 |
| Impact | Data Manipulation – Stored Data Manipulation | T1565.001 |
Recommendations
- Organizations must audit all dependencies for the nine malicious packages listed above and assume any system with these packages is fully compromised.
- Review all PLC logs and verify operation outcomes. Assume PLC data corruption has occurred if Sharp7Extend was used.
- Validate NuGet packages beyond alias (shanhai666 used multiple fake authors); require signed, verified packages.
- Use EDR/XDR tools to alert on suspicious calls like Process.GetCurrentProcess().Kill() inside app binaries.
- Conduct training on identifying malicious packages, typosquatting, & time-delayed logic.
- Audit all PLC write operations for data integrity issues. Review safety system logs for missed commands or failed activations. Establish baseline monitoring for PLC communication success rates.
Source:
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.