- Socket found nine NuGet packages with delayed sabotage targeting industrial control systems
- Sharp7Extend may corrupt Siemens S7 PLCs and randomly crash host processes
- Malicious code is activated in 2027-2028; Users are urged to audit and remove affected packages.
Thousands of critical infrastructure organizations, as well as those working in other equally important vertical sectors, were the target of a malicious attack that sought to sabotage their industrial control devices (ICD) two years later, experts discovered.
Socket cybersecurity researchers recently found nine packages on NuGet that contained sabotage payloads that would activate in 2027 and 2028, if certain conditions were met.
NuGet is the package manager for .NET and provides open source .NET libraries that software developers can easily integrate into their projects.
Thousands of victims
According to Socket, the packages targeted the three main database providers used in .NET applications: SQL Server, PostgreSQL and SQLite, adding that the most dangerous is Sharp7Extend. This package is intended for users of the Sharp7 library.
“By adding ‘Extend’ to Sharp7’s trusted name, the threat actor exploits developers looking for Sharp7 extensions or enhancements,” Socket explained.
The account that hosted them is shanhai666 and, according to beepcomputerhas removed all of these from the list in the meantime. Before that happened, the packages managed to rack up almost 10,000 downloads.
While almost all the code in the packages (99%) was clean, that 1% could be fatal. It was written to run whenever the application communicates with databases or Siemens S7 PLCs.
Siemens S7 industrial control devices can typically be found in manufacturing plants, energy and utilities, chemical and oil, gas, building automation and transportation industries.
The payload is activated only between August 8, 2027 and November 29, 2028, and does two destructive things: it randomly kills the host process 20% of the time (causing immediate halts), and, in the Sharp7Extend package, breaks initialization and/or, after a 90-minute delay, corrupts PLC write commands with a probability of 80%.
Who uploaded these packets and for what purpose remains a mystery. Users are advised to audit their assets for packages and remove them immediately.
Here is the full list of malicious packages discovered so far:
SqlUnicorn.Core
qlDbRepository
SqlLite Repository
SqlUnicornCoreTest
SqlUnicornCore
Sql Repository
MyDbRepository
MCDb Repository
Sharp7Extender
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
