Overview
- Socket identified nine booby-trapped packages among 12 published by the NuGet user "shanhai666" in 2023–2024, with roughly 9,500 downloads before NuGet removed them.
- The Sharp7Extend package targets Siemens S7 PLCs and activates on install through June 6, 2028, randomly killing processes 20% of the time and corrupting PLC write operations 80% of the time after a 30–90 minute delay.
- Several database-focused packages for SQL Server, PostgreSQL, and SQLite are hardcoded to trigger on August 8, 2027, and November 29, 2028, imposing a 20% chance of terminating the host application during queries.
- The campaign blends in by delivering useful functionality and burying about 20 lines of malicious code that leverage C# extension methods and typosquatting to intercept operations without obvious red flags.
- Socket urged organizations to audit dependency trees and assume compromise if these packages were present, warning that staggered triggers and probabilistic behavior hinder detection and incident response.