Two years ago, an account with the name “shanhai666” uploaded nine malicious NuGet 0 launched a complicated software supply-chain 1 to supply-chain security firm Socket, the packages have been collectively downloaded 9,488 2 addition, specific triggers are set for August 2027 and November 2028. Socket’s team member, Kush Pandya, discovered the threat actor behind the campaign that published a total of 12 3 of the packages contain harmful routines, while three are fully functional implementations disguising the rest as “credible.” Pandya believes the hacker used legitimate libraries together with the malicious ones to trick developers into installing the packages without detecting anomalies during routine testing.
“Legitimate functionality masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks,” he wrote in a November 6 report. 9 NuGet hidden threats in legitimate code The nine identified malicious packages could affect all three major database providers used 4 applications: Microsoft SQL Server, PostgreSQL, and 5 package, Sharp7Extend, specifically targets industrial PLCs used in manufacturing and process automation. Socket’s research propounded that the database could be vulnerable to a dual-purpose supply-chain attack threatening software development and critical infrastructure 6 coined package Sharp7Extend as the most dangerous of the malicious packages , being a typosquat of the legitimate Sharp7 7 implementation for communicating with Siemens S7 programmable logic controllers.
Sharp7Extend package assessment.) method is added to command types, while Sharp7Extend adds a . BeginTran() method to S7Client 8 extensions run automatically every time an application does a PLC action or a 9 the trigger date, the malware makes a random number between 1 and 10 the number exceeds 80, which there’s a 20% probability it will actually happen, the package immediately kills the running process using Process. GetCurrentProcess(). Kill().
An abrupt termination then occurs without warnings or log entries that could seem like network instability, hardware faults, or other “non alarming” system errors. Sharp7Extend also implements delayed write corruption through a timer that sets a 30–90 minute grace 11 the grace period, a filter method called ResFliter. fliter() begins silently failing write operations 80% of the 12 affected include WriteDBSingleByte, WriteDBSingleInt, and 13 appear successful while data is not actually written to the 14 set for August 2027 to November 2028 Socket security’s report said certain database-focused packages in the campaign’s crossroads, including MCDbRepository, are slated to execute their payload on August 8, 15 and SqlUnicornCoreTest could likely go active on November 29, 2028.
“This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems,” Pandya explained. Socket’s investigation found that the name “shanhai666” and portions of the source code is of Chinese 16 September, cybersecurity analysts uncovered code on Microsoft Internet Information Services (IIS) servers that had been exploiting vulnerabilities since 17 operation involves malicious IIS modules used for remote command execution and search engine optimization (SEO) 18 $50 free to trade crypto when you sign up to Bybit now
Story Tags
Latest news and analysis from Cryptopolitan
