Malicious NuGet packages target ASP.NET developers, steal sensitive data

Four malicious NuGet packages have been discovered targeting ASP.NET web application developers to steal sensitive data and create persistent backdoors. The packages, identified as NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, were published to the NuGet repository between August 12 and 21, 2024, and have since been removed. These packages aimed to compromise applications during the development phase, allowing attackers to gain access to deployed production environments, as reported by The Hacker News.

The campaign, discovered by Socket, focused on exfiltrating ASP.NET Identity data, including user accounts, roles, and permissions. NCryptYo acted as a dropper, establishing a local proxy to communicate with an attacker-controlled command-and-control (C2) server. DOMOAuth2_ and IRAOAuth2.0 then transmitted the stolen data and received authorization rules to create backdoors, granting attackers administrative access or disabling security checks.

SimpleWriter_ provided capabilities for unconditional file writing and hidden process execution, masquerading as a PDF utility. The analysis indicated a single threat actor was behind the campaign, which attracted over 4,500 downloads before takedown.

Source: The Hacker News