JFrog experts warned that attackers are targeting .NET developers through malicious packages from the NuGet repository and infecting their systems with malware that steals cryptocurrency.
Let me remind you that we also said that Researchers discovered four npm packages that were collecting user data, and also that Log4j vulnerability threatens 35,000 Java packages.
Also, information security specialists reported that 10 Malicious PyPI Packages Steal Credentials.
The attackers disguise their packages (three of which have been downloaded over 150,000 times in a month) as real-life popular tools using typesquatting.
The researchers note that a large number of downloads may indicate a large number of developers whose systems were compromised, but it is also possible that hackers deliberately used bots to artificially boost the “popularity” of their packages in NuGet.
It is also noted that the attackers used typesquatting when creating their profiles in NuGet, and tried to be like Microsoft developers. The list of packages used by the hackers can be seen below.
| Package name | Owner | Downloads | published | real package |
| Coinbase Core | BinanceOfficial | 121 900 | 2023-02-22 | Coinbase |
| Anarchy.Wrapper.Net | Official Development Team | 30 400 | 2023-02-21 | Anarchy Wrapper |
| DiscordRichPresence.API | Official Development Team | 14 100 | 2023-02-21 | DiscordRichPresence |
| Avalon-Net-Core | joeIverhagen | 1200 | 2023-01-03 | AvalonEdit |
| Manage.Carasel.Net | Official Development Team | 559 | 2023-02-21 | N/A |
| asip.net.core | BinanceOfficial | 246 | 2023-02-22 | Microsoft.AspNetCore |
| Sys.Forms.26 | joeIverhagen | 205 | 2023-01-03 | System.Windows.Forms |
| Azetap.API | DevNuget | 153 | 2023-02-27 | N/A |
| AvalonNetCore | Rahul Mohammad | 67 | 2023-01-04 | AvalonEdit |
| Json.Manager.Core | BestDeveIopers | 46 | 2023-03-12 | Standard .NET name |
| Managed.Windows.Core | mahamadrohu | 37 | 2023-01-05 | Standard .NET name |
| Nexzor.Graphical.Designer.Core | Impala | 36 | 2023-03-12 | N/A |
| Azeta.API | Soubata | 28 | 2023-02-24 | N/A |
The malicious packages were designed to download and execute a PowerShell-based dropper script (init.ps1) that configured the infected machine to run PowerShell without restrictions. In this next phase of the attack, the script downloaded and ran the payload, a Windows executable file described by the researchers as a “completely custom payload executable.”
Experts say this is a very unusual approach compared to other attackers who mostly use open-source tools and standard malware instead of creating their own payloads.
The malware eventually deployed on compromised machines could be used to steal cryptocurrency (by exfiltrating victims’ cryptocurrency wallet data via Discord webhooks), extracting and executing malicious code from Electron archives, and automatically updating from the command-and-control server.
