Malicious NuGet packages drop disruptive 'time bombs'

Malicious NuGet packages drop disruptive 'time bombs' By Bill Toulas November 7, 2025 03:53 PM 0 Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. The embedded malicious code uses a probabilistic trigger, so it may or may not activate depending on a set of parameters on the infected device. NuGet is an open-source package manager and software distribution system, enabling developers to download and include ready-to-run .NET libraries for their projects. Researchers at code security company Socket found nine malicious packages on NuGet, all published under the developer name shanhai666, that featured legitimate functionality along with the harmful code. The packages "strategically target all three major database providers used in .NET applications (SQL Server, PostgreSQL, SQLite)." However, the most dangerous of them is Sharp7Extend, which targets users of the legitimate Sharp7 library for communicating over ethernet with Siemens programmable logic controllers (PLCs). "By appending "Extend" to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements," Socket researchers said. Under the shanhai666 developer name, NuGet listed 12 packages, but only nine of them included malicious code: SqlUnicorn.Core SqlDbRepository SqlLiteRepository SqlUnicornCoreTest SqlUnicornCore SqlRepository MyDbRepository MCDbRepository Sharp7Extend At publishing time, there are no packages listed under that developer's name. But it should be noted that the delisting occurred after the download count almost reached 9,500. Sneaking a “bomb” for 2028 According to Socket researchers, the packages contain mostly (99%) legitimate code, creating a false sense of safety and trust, but include a small 20-line malicious payload. "The malware exploits C# extension methods to transparently inject malicious logic into every database and PLC operation," Socket explains in a report this week. The extension methods execute every time an application performs a database query or a PLC operation. There is also a verification for the current date on the compromised system against a hardcoded trigger date, which ranges from August 8, 2027, to November 29, 2028. Trigger date for November 2028Source: Socket If the date condition is a match, the code creates a ‘Random’ class to generate a number between 1 and 100, and if it’s higher than 80 (20% chance), calls ‘Process.GetCurrentProcess().Kill()’ for the immediate termination of the host process. For typical PLC clients that call transactional or connection methods frequently, this would lead to an immediate stop of operations. The Sharp7Extend package, which impersonates the legitimate Sharp7 library, a popular .NET communication layer for Siemens S7 PLCs, follows the opposite approach, immediately terminating PLC communications in 20% of cases. This mechanism is set to expire on June 6, 2028. A second sabotage method in the Sharp7Extend package consists in code trying to read from an inexistent configuration value. As a result, the initialization always fails. A second mechanism creates a filter value for internal PLC operations and sets a payload execution delay between 30 and 90 minutes. After that time has elapsed, PLC writes that pass through the filter have an 80% chance to get corrupted, resulting in actuators not receiving commands, setpoints not being updated, safety systems not engaging, and production parameters not being modified. Corrupting PLC writesSource: Socket "The combination of immediate random process termination (via BeginTran()) and delayed write corruption (via ResFliter) creates a sophisticated multi-layered attack that evolves over time," Socket researchers say. While the exact goals and origins of these extensions remain unclear, organizations potentially impacted are recommended to immediately audit their assets for the nine packages and assume compromise if any are present. For industrial environments running Sharp7Extend, audit PLC write operations for integrity, check safety system logs for missed commands or failed activations, and implement write-verification for critical operations. .ia_ad { background-color: #f0f6ff; width: 95%; max-width: 800px; margin: 15px auto; border-radius: 8px; border: 1px solid #d6ddee; display: flex; align-items: stretch; padding: 0; overflow: hidden; } .ia_lef { flex: 1; max-width: 200px; height: auto; display: flex; align-items: stretch; } .ia_lef a { display: flex; width: 100%; height: 100%; } .ia_lef a img { width: 100%; height: 100%; border-radius: 8px 0 0 8px; margin: 0; display: block; } .ia_rig { flex: 2; padding: 10px; display: flex; flex-direction: column; justify-content: center; } .ia_rig h2 { font-size: 17px !important; font-weight: 700; color: #333; line-height: 1.4; font-family: Georgia, "Times New Roman", Times, serif; margin: 0 0 14px 0; } .ia_rig p { font-weight: bold; font-size: 14px; margin: 0 0 clamp(6px, 2vw, 14px) 0; } .ia_button { background-color: #FFF; border: 1px solid #3b59aa; color: black; text-align: center; text-decoration: none; border-radius: 8px; display: inline-block; font-size: 16px; font-weight: bold; cursor: pointer; padding: 10px 20px; width: fit-content; } .ia_button a { text-decoration: none; color: inherit; display: block; } @media (max-width: 600px) { .ia_ad { flex-direction: column; align-items: center; } .ia_lef { max-width: 100%; } .ia_lef a img { border-radius: 8px 8px 0 0; } .ia_rig { padding: 15px; width: 100%; } .ia_button { width: 100%; margin: 0px auto; } } The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact. Download Now Related Articles: Malicious NPM packages fetch infostealer for Windows, Linux, macOSSelf-spreading GlassWorm malware hits OpenVSX, VS Code registriesNew LandFall spyware exploited Samsung zero-day via WhatsApp messagesClickFix malware attacks evolve with multi-OS support, video tutorialsSandworm hackers use data wipers to disrupt Ukraine's grain sector