Several malicious NuGet packages containing time-delayed payloads were identified, capable of sabotaging industrial systems and databases after specific trigger dates. The packages were linked to a threat actor possibly of Chinese origin and exploited trusted libraries like Sharp7 to embed their malware, making detection challenging. #NuGetSupplyChain #Sharp7 #IndustrialControlSystems #TimeDelayedPayloads
Keypoints
- A set of nine malicious NuGet packages were designed to trigger sabotage in industrial and database systems after specific dates.
- The packages were published by an actor using the alias βshanhai666β and have been removed from NuGet.
- Sharp7Extend targets Siemens S7 PLCs with sabotage mechanisms like process termination and write failures.
- The malware uses C# extension methods to automatically execute malicious code during standard operations.
- Delayed activation dates range from August 2027 to November 2028, complicating detection and attribution efforts.
Read More: https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html