Socket uncovered four malicious NuGet packages targeting ASP.NET apps, using a typosquatted dropper and localhost proxy to steal Identity data and bac...

Socket

Socket's Threat Research Team uncovered a coordinated NuGet supply chain attack involving four malicious packages targeting ASP.NET developers. The campaign uses NCryptYo as a typosquatted dropper (mimicking the legitimate NCrypto package) that installs JIT compiler hooks to decrypt and deploy a stage-2 localhost proxy on port 7152. Companion packages DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data (user accounts, roles, permissions) and accept attacker-controlled authorization rules to create persistent backdoors. SimpleWriter_ adds arbitrary file writing and hidden process execution. All four packages share byte-identical auth tokens, identical build environments, and were published by the same threat actor within a nine-day window in August 2024, accumulating ~4,500 downloads. The attack targets deployed production applications rather than developer machines, giving attackers persistent admin-level access to victim apps. Mitigation recommendations include auditing for typosquatting, inspecting static constructors, monitoring non-standard localhost connections, and enabling NuGet package signature verification.

Four Malicious NuGet Packages Target ASP.NET Developers With...

Campaign Linkage: Shared Infrastructure and Build Artifacts #

IRAOAuth2.0: Hardcoded-Only Credential Channel #

SimpleWriter_: File Drop and Process Execution #