9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads

Socket's Threat Research Team identified nine malicious NuGet packages published under the alias "shanhai666" that pose a significant threat to database operations and industrial control systems by injecting time-delayed destructive payloads. These packages, including the notably hazardous Sharp7Extend, employ dual sabotage mechanisms—random process termination and silent write failures—to compromise safety-critical systems. Released between 2023 and 2024, the packages have accumulated 9,488 downloads and target major database providers used in .NET applications, as well as industrial PLCs. The malicious code is concealed within extensive legitimate functionality, which builds trust among developers and delays detection. The packages exploit C# extension methods to seamlessly integrate destructive logic into operations, activating based on specific trigger dates in 2027 and 2028. This strategic approach, combined with tactics like typosquatting and the use of legitimate code, complicates detection and attribution, making forensic investigations challenging. Organizations are urged to audit dependencies for these packages, as they are advised to assume any system with them is compromised, particularly those using the Sharp7Extend package in industrial environments, which may already be experiencing the effects of the sabotage mechanisms disguised as routine operational failures.