.NET Devs Targeted With Malicious NuGet Packages

In a possible first for the NuGet repository, more than a dozen components in the .NET code repository run a malicious script upon installation, with no warning or alert.

A baker's dozen of packages hosted on the NuGet repository for .NET software developers are actually malicious Trojan components that will compromise the installation system and download crypto-stealing malware with backdoor functionality.

Software supply chain security firm JFrog stated in an analysis published March 21 that the 13 packages, which have since been removed, have been downloaded more than 166,000 times and impersonate other legitimate software, such as Coinbase and Microsoft ASP.NET. JFrog detected the attack when the company's researchers noted suspicious activity when a file — init.ps1 — executed upon installation and then downloaded an executable file and ran it.

The discovery of the malicious code highlights that attackers are further branching out into the software supply chain as a way to compromise unwary developers, even though .NET and the C# programming languages are lesser known among attackers, says Shachar Menashe, director of security research for JFrog.

"The techniques to get malicious code executed on NuGet package install, while trivial, are less documented than in Python or JavaScript, and some of them have been deprecated, so some novice attackers may think it's not possible," he says. "And perhaps NuGet has better automated filtering of malicious packages."

The software supply chain has become increasingly targeted by attackers with attempts to compromise developers' systems or propagate unnoticed code to the end user through developers' applications. The Python Package Index (PyPI) and the JavaScript-focused Node Package Manager (npm) ecosystems are frequent targets of supply chain attacks targeting open source projects.

The attack on the .NET software ecosystem, which consists of nearly 350,000 unique packages, is the first time that malicious packages have targeted NuGet, according to JFrog, although the company noted that a spamming campaign had previously pushed phishing links to developers.

Typosquatting Still a Problem

The attack underscores that typosquatting continues to be a problem. That style of attack involves creating packages with similar sounding names — or the same name with common spelling errors — as legitimate ones, in the hopes that a user will mistype a common package or won't notice the errors.

Developers should give new packages a good look before including them in a programming project, JFrog researchers Natan Nehorai and Brian Moussalli wrote in the online advisory.

"Even though no prior malicious-code attacks were observed in the NuGet repository, we were able to find evidence for at least one recent campaign using methods such as typosquatting to propagate malicious code," they wrote. "As with other repositories, safety measures should be taken at every step of the software development lifecycle to ensure the software supply chain remains secure."

Immediate Code Execution Is Problematic

Files that are automatically executed by development tools are a security weakness and should be eliminated or limited to reduce the attack surface area, the researchers stated. That functionality is a significant reason why the npm and PyPI ecosystems have poisoning issues, as compared to, say, the Go package ecosystem.

"Despite the fact that the discovered malicious packages have since been removed from NuGet, .NET developers are still at high risk from malicious code since NuGet packages still contain facilities to run code immediately upon package installation," the JFrog researchers stated in the blog post. "[A]lthough it is deprecated, [an initialization] script is still honored by Visual Studio and will run without any warning when installing a NuGet package."

JFrog advised developers to check for typos in imported and installed packages and said that developers should make sure not to "accidentally install them in their project, or mention them as a dependency," the company stated.

In addition, developers should view the contents of packages to ensure that there are no executable files that are being downloaded and automatically executed. While such files are common in some software ecosystems, they are usually an indication of malicious intent.

Through a variety of countermeasures, the NuGet repository — as well as npm and PyPI — are slowly, but surely, eliminating the security weaknesses, says JFrog's Menashe. 

"I don't expect NuGet to become more of a target in the future, especially if the NuGet maintainers were to fully remove support for running code on package install — which they have already partially done," he says.

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading