Keypoints
- Moq 4.20.0 and 4.20.1 added Devlooped.SponsorLink as a dependency, which is a closed-source, obfuscated compiled DLL.
- The Devlooped.SponsorLink component executes during build and cannot be disabled when Moq is used as a dependency.
- The DLL spawns a git process to run “git config –get user.email”, hashes the retrieved email, and posts the result to hxxps://cdn.devlooped[.]com/sponsorlink.
- The component loads settings from hxxps://cdn.devlooped[.]com/sponsorlink/settings.ini and avoids running when common CI environment variables are present (e.g., CI, TRAVIS, JENKINS_URL).
- Community members raised GDPR and trust concerns, prompting the maintainer to unpublish 4.20.0/4.20.1 and release 4.20.2 without the Devlooped.SponsorLink dependency.
- Multiple other NuGet packages include Devlooped.SponsorLink or related Devlooped packages, broadening the impact surface for builds that consume those packages.
MITRE Techniques
- [T1195] Supply Chain Compromise – A malicious or undesired dependency (Devlooped.SponsorLink) was added to Moq releases 4.20.0/4.20.1. (‘Devlooped.SponsorLink NuGet package has been added as a new dependency.’)
- [T1005] Data from Local System – The component collects developer-identifying data by reading local git configuration. (‘git config –get user.email’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The library spawns an external git process to obtain the email (via Process.Start). (‘Process.Start(new ProcessStartInfo(…))’ and ‘git config –get user.email’)
- [T1027] Obfuscated Files or Information – The dependency is closed-source and provided as an obfuscated compiled DLL. (‘Devlooped.SponsorLink is a closed-source project, provided as a compiled dll with obfuscated code’)
- [T1567] Exfiltration Over Web Service – The hashed developer email is transmitted to a cloud endpoint under the author’s domain. (‘sends the hashed email of the current developer to hxxps://cdn.devlooped[.]com/sponsorlink’)
- [T1497] Virtualization/Sandbox Evasion (environment checks) – The code checks for CI/build environment variables and avoids execution if present. (‘He later discovered that the library also loads settings … and is evasive in case one of the following environment variable exists … CI TRAVIS JENKINS_URL’)
Indicators of Compromise
- [Domain/URL] Exfiltration endpoint and settings – hxxps://cdn.devlooped[.]com/sponsorlink, hxxps://cdn.devlooped[.]com/sponsorlink/settings.ini
- [NuGet package + versions] Affected package versions – Moq 4.20.0, Moq 4.20.1 (added Devlooped.SponsorLink); Moq 4.20.2 (removed dependency)
- [NuGet package] Malicious/opaque dependency – Devlooped.SponsorLink (closed-source, obfuscated DLL)
- [Packages using dependency] Other packages referencing Devlooped.SponsorLink – examples: devlooped.cloudstorageaccount.source, thisassembly.git, and other Devlooped-related packages (and multiple more listed)
Since Moq 4.20.0, the package introduced Devlooped.SponsorLink as a build-time dependency packaged as a closed-source, obfuscated DLL. During compilation the component launches an external git process (invoking “git config –get user.email”) to read the developer’s configured email address, performs a hashing operation, and transmits the hashed value to a cloud endpoint controlled by the package author at https://cdn.devlooped.com/sponsorlink. The component also fetches a remote settings.ini from the same CDN to control its behavior.
The code contains evasion checks to skip execution in common continuous integration or build environments by detecting environment variables such as CI, TF_BUILD, TRAVIS, TEAMCITY_VERSION, APPVEYOR, and JENKINS_URL. Because the dependency is executed during the build and is distributed as an obfuscated compiled DLL, consumers cannot easily inspect or disable the behavior when depending on affected Moq releases. Following community disclosure and concern, versions 4.20.0 and 4.20.1 were reverted/unpublished and Moq 4.20.2 was released without the Devlooped.SponsorLink dependency.
Mitigations include auditing build-time dependencies, pinning to known-good Moq versions (e.g., 4.20.2 or earlier known-good releases), scanning binary dependencies for unexpected network behavior, and blocking the identified CDN endpoint at the network level until packages are verified. Organizations should also review downstream packages that reference Devlooped.SponsorLink and consider rebuilds or dependency removals where appropriate.