The NuGet repository, a popular service for .NET developers, was recently the target of a malicious attack. The attacker created 13 rogue packages that were downloaded more than 160,000 times over the past month. The packages contained a PowerShell script that would execute upon installation and trigger a download of a 'second stage' payload, which could be remotely executed. The NuGet packages have been taken down, but this highlights the need for developers to be vigilant when downloading packages from repositories. This is the first time that NuGet packages have been found to contain malicious code, but it's likely that this won't be the last. The attacker used typosquatting techniques to create fake packages with names that were similar to legitimate packages. The goal was to trick developers into downloading the packages, which contained a dropper script designed to automatically run a PowerShell code that retrieves a follow-on binary from a hard-coded server.
top of page
bottom of page