The NuGet repository has recently been targeted by an advanced and highly malicious assault, intending to infiltrate .NET developer systems with cryptocurrency-stealing malware. Over the past month, 13 malicious packages were downloaded over 160,000 times before being removed. These packages included a PowerShell script that, upon installation, initiated the download of a ‘second stage’ payload capable of remote execution. Although NuGet packages have previously been found to harbor vulnerabilities and facilitate phishing link distribution, this incident represents the first-ever discovery of packages containing harmful code.
In a further effort to hide their intentions, some packages did not directly contain harmful payloads. Instead, they fetched them through a separate, rigged package as a dependency. Even more concerning, the connection to the command-and-control (C2) server uses HTTP, not HTTPS, leaving it exposed to potential attacks from adversaries in the middle. The second-stage malware is a custom payload that can be changed on demand, as it is retrieved from the C2.
This incident demonstrates that all open-source repositories, whether they are software module repositories like NuGet or application repositories like Winget and Chocolatey, are vulnerable to attacks from threat actors. IT professionals using app repositories such as Chocolatey and Winget face a high risk of malicious code infiltrating their systems. They should exercise caution when selecting applications for their environments to maintain security. While some repositories claim to perform antivirus checks on uploaded files, no antivirus engine is flawless, and they may not be able to detect harmful PowerShell scripts capable of executing external payloads.
Here at Action1, we do not rely on any public repositories for this very reason of not trusting any kind of community-supported content. When automating the patching of third-party applications (such as web browsers, desktop apps, utilities, etc), our in-house team performs scanning, packaging, and testing of all newly released third-party application updates to ensure their integrity and eliminate any risk of compromising our customers’ systems.
About Action1
Action1 provides a risk-based patch management solution for distributed work-from-anywhere organizations. Action1 helps to discover, prioritize, and remediate vulnerabilities in a single solution to prevent security breaches and ransomware attacks. It automates patching of third-party applications and OS, drivers, and firmware, ensuring continuous patch compliance and remediation of security vulnerabilities before they are exploited.