.NET Devs Targeted With Malicious NuGet Packages

  /     /     /  
Publicated : 23/11/2024   Category : security


.NET Devs Targeted With Malicious NuGet Packages


In a possible first for the NuGet repository, more than a dozen components in the .NET code repository run a malicious script upon installation, with no warning or alert.



A bakers dozen of packages hosted on the NuGet repository for .NET software developers are actually malicious Trojan components that will compromise the installation system and download crypto-stealing malware with backdoor functionality.
Software supply chain security firm JFrog stated in an analysis published March 21 that the 13 packages, which have since been removed, have been downloaded more than 166,000 times and impersonate other legitimate software, such as Coinbase and Microsoft ASP.NET. JFrog detected the attack when the companys researchers noted suspicious activity when a file — init.ps1 — executed upon installation and then downloaded an executable file and ran it.
The discovery of the malicious code highlights that attackers are further branching out into the software supply chain as a way to compromise unwary developers, even though .NET and the C# programming languages are lesser known among attackers, says Shachar Menashe, director of security research for JFrog.
The techniques to get malicious code executed on NuGet package install, while trivial, are less documented than in Python or JavaScript, and some of them have been deprecated, so some novice attackers may think its not possible, he says. And perhaps NuGet has better automated filtering of malicious packages.
The software supply chain has become increasingly targeted by attackers with attempts to compromise developers systems or propagate unnoticed code to the end user through developers applications. The Python Package Index (PyPI) and the JavaScript-focused Node Package Manager (npm) ecosystems are
frequent

targets of supply chain attacks
targeting open source projects.
The attack on the .NET software ecosystem, which consists of
 nearly 350,000 unique packages
, is the first time that malicious packages have targeted NuGet, according to JFrog, although the company noted that a spamming campaign had
previously pushed phishing links to developers
.
The attack underscores that typosquatting continues to be a problem. That style of attack involves creating packages with similar sounding names — or the same name with common spelling errors — as legitimate ones, in the hopes that a user will mistype a common package or wont notice the errors.
Developers should give new packages a good look before including them in a programming project, JFrog researchers
Natan Nehorai and Brian Moussalli wrote in the online advisory
.
Even though no prior malicious-code attacks were observed in the NuGet repository, we were able to find evidence for at least one recent campaign using methods such as typosquatting to propagate malicious code, they wrote. As with other repositories, safety measures should be taken at every step of the software development lifecycle to ensure the software supply chain remains secure.
Files that are automatically executed by development tools are a security weakness and should be eliminated or limited to reduce the attack surface area, the researchers stated. That functionality is a significant reason why the npm and PyPI ecosystems have poisoning issues, as compared to, say, the Go package ecosystem.
Despite the fact that the discovered malicious packages have since been removed from NuGet, .NET developers are still at high risk from malicious code since NuGet packages still contain facilities to run code immediately upon package installation, the JFrog researchers stated in the blog post. [A]lthough it is deprecated, [an initialization] script is still honored by Visual Studio and will run without any warning when installing a NuGet package.
JFrog advised developers to check for typos in imported and installed packages and said that developers should make sure not to accidentally install them in their project, or mention them as a dependency, the company stated.
In addition, developers should view the contents of packages to ensure that there are no executable files that are being downloaded and automatically executed. While such files are common in some software ecosystems, they are usually an indication of malicious intent.
Through a variety of countermeasures, the NuGet repository — as well as npm and PyPI — are slowly, but surely, eliminating the security weaknesses, says JFrogs Menashe. 
I dont expect NuGet to become more of a target in the future, especially if the NuGet maintainers were to fully remove support for running code on package install — which they have already partially done, he says.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
.NET Devs Targeted With Malicious NuGet Packages