Malicious NuGet Packages - Time Bombs Target Databases and PLCs
CORTEX Protocol Intelligence Assessment
Business Impact: Malicious NuGet packages with delayed sabotage logic create a unique blend of operational and safety risk, especially where .NET code interfaces with industrial controllers or critical databases. Sabotage scheduled years in the future complicates root-cause analysis and can manifest as sporadic outages or dangerous PLC misbehavior, exposing manufacturers, utilities, and logistics operators to production downtime and physical safety incidents. Technical Context: The malicious NuGet packages use C# extension methods to hook into normal database and PLC operations, checking the current date against hard-coded trigger windows before probabilistically killing processes or corrupting writes. Targets include Sharp7Extend, which impersonates a legitimate Siemens S7 communication library, and multiple SQL helper packages. Because the malicious logic is compiled into dependent applications, removing the packages from NuGet does not remediate existing builds; defenders need source-level audits and package-inventory scans.
Strategic Intelligence Guidance
- Build an SBOM-driven inventory of all NuGet dependencies across applications, specifically searching for the nine shanhai666 packages including Sharp7Extend and SQL helper libraries.
- Rebuild and redeploy applications that ever referenced the malicious NuGet packages, ensuring updated dependencies are pulled from trusted sources and validated with code review.
- For industrial environments, instrument PLC communication paths with integrity checks and logging capable of detecting anomalous write patterns, unexpected process terminations, or configuration drift.
- Strengthen package governance by enforcing internal mirrors, mandatory security reviews for new dependencies, and automated scanning for known-malicious publishers or suspicious behavior.