Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

Socket's Threat Research Team identified a sophisticated NuGet supply chain attack targeting ASP.NET web application developers through four malicious packages, including NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, all published by the threat actor hamzazaheer. The attack involves a multi-stage payload, with NCryptYo serving as a stage-1 dropper that establishes a local proxy on localhost:7152, enabling the exfiltration of ASP.NET Identity data and the creation of persistent backdoors via manipulated authorization rules. The packages, which have amassed over 4,500 downloads, employ various obfuscation techniques, including typosquatting the legitimate NCrypto package, to evade detection by security vendors. The threat actor's shared infrastructure is evident through byte-identical authentication tokens across the packages, which are built on a consistent system environment and share metadata quirks suggesting common authorship. The attack chain activates when developers install these packages, leading to unauthorized access to applications by exploiting the compromised authorization layer during development. Socket's AI Scanner has initiated takedown requests and offers defense mechanisms against such attacks, including dependency audits, CI/CD scanning, and behavioral monitoring to mitigate potential supply chain threats in production environments.