.png){kind=logo}
Malicious NuGet Packages Plant Time-Delayed Logic Bombs Targeting .NET Database and ICS Systems
- Rescana
- Nov 9
- 5 min read
Executive Summary
A new and highly sophisticated supply chain attack has been identified in the .NET ecosystem, leveraging malicious NuGet packages laced with hidden logic bombs set to detonate years after installation. These packages, published under the user shanhai666 between 2023 and 2024, target both database operations and industrial control systems (ICS) by embedding time-delayed sabotage mechanisms. The attack employs advanced techniques such as C# extension methods, probabilistic triggers, and hardcoded activation dates, making detection and forensic analysis exceptionally challenging. The delayed and randomized nature of the payloads is designed to mimic random software or hardware failures, thereby evading traditional security controls and complicating incident response. Organizations using NuGet packages, especially those in manufacturing, critical infrastructure, and software development, are at significant risk and must take immediate action to audit and secure their software supply chain.
Threat Actor Profile
The malicious campaign is attributed to the NuGet publisher shanhai666, who released at least nine compromised packages. While direct attribution remains unconfirmed, the username and code characteristics suggest a possible Chinese origin. The sophistication of the attack, including the use of time-delayed and probabilistic logic bombs, aligns with tactics observed in state-sponsored supply chain operations, such as those attributed to groups like APT41. However, no direct evidence currently links this campaign to any known advanced persistent threat (APT) group. The actor demonstrates a deep understanding of the .NET ecosystem, supply chain attack vectors, and the operational environments of industrial and manufacturing sectors.
Technical Analysis of Malware/TTPs
The attack leverages the following technical mechanisms:
The malicious NuGet packages—MyDbRepository, MCDbRepository, Sharp7Extend, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, and SqlLiteRepository—were published and updated between May 2023 and October 2024. These packages have collectively been downloaded nearly 9,500 times as of November 2025.
The core of the attack is a logic bomb embedded within C# extension methods. These methods are automatically invoked during normal database or PLC (Programmable Logic Controller) operations, ensuring the payload is executed in production environments without user interaction. The logic bomb is programmed to activate on specific hardcoded or encrypted dates, such as August 8, 2027, and November 29, 2028, or after a randomized delay post-installation (as seen in Sharp7Extend).
Upon activation, the payload executes one or more of the following sabotage techniques: a 20% probability of terminating the application process, causing random and difficult-to-trace crashes; an 80% probability of silently failing PLC write operations after a 30–90 minute delay, particularly targeting Siemens S7 PLCs via the Sharp7 library; and silent data corruption or write failures in SQL Server, PostgreSQL, and SQLite environments. The delayed and probabilistic nature of these actions is specifically designed to evade detection by security monitoring tools and to mimic random system or hardware failures, thereby complicating root cause analysis.
Obfuscation is further enhanced by the use of encrypted trigger dates and the integration of the payload into legitimate-looking code paths. The packages are named and structured to closely resemble popular or legitimate libraries, increasing the likelihood of accidental adoption by unsuspecting developers.
Exploitation in the Wild
Evidence indicates that the malicious packages have been downloaded and integrated into production environments, particularly within organizations operating in manufacturing, industrial automation, and software development sectors. The public nature of the NuGet repository means the campaign has a global reach, with no specific geographic targeting observed. However, the focus on ICS and database operations suggests a deliberate attempt to compromise environments where downtime or data integrity issues can have severe operational and safety consequences.
Victims have reported unexplained application crashes, silent data corruption, and intermittent failures in PLC operations, often months or years after initial package installation. The delayed activation and randomization of the payloads have resulted in significant challenges for incident response teams, who may misattribute the issues to hardware faults or software bugs rather than a coordinated supply chain attack.
Victimology and Targeting
The primary victims are organizations and developers who have integrated the affected NuGet packages into their software supply chain. This includes manufacturing companies, ICS operators, and software vendors relying on .NET and related database or PLC libraries. The attack is particularly insidious because it targets environments where reliability and data integrity are paramount, such as safety-critical ICS deployments and enterprise database systems.
The campaign does not appear to discriminate by geography, as the NuGet ecosystem is globally accessible. However, the technical focus on Siemens S7 PLCs and major SQL database platforms indicates a strategic intent to disrupt industrial and critical infrastructure operations. The use of extension methods ensures that even well-audited codebases may inadvertently execute the malicious payload, as the attack vector is embedded in seemingly innocuous third-party dependencies.
Mitigation and Countermeasures
Immediate mitigation steps include conducting a comprehensive audit of all NuGet dependencies across development, staging, and production environments to identify the presence of the listed malicious packages: MyDbRepository, MCDbRepository, Sharp7Extend, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, and SqlLiteRepository. Any identified packages should be removed and replaced with verified, trusted alternatives. Organizations should also review application and system logs for unexplained crashes, data corruption, or PLC write failures, particularly in environments utilizing the Sharp7 library or similar ICS integration tools.
Long-term countermeasures include implementing strict supply chain security controls, such as mandatory dependency scanning, code review for all third-party packages, and the use of software composition analysis (SCA) tools to detect malicious or outdated dependencies. Maintaining a detailed inventory of all third-party components and their update history is essential for rapid response to future supply chain threats. Organizations should also establish monitoring for anomalous behavior around the specified trigger dates and consider deploying runtime application self-protection (RASP) solutions to detect and block suspicious process terminations or data manipulation attempts.
Security teams are advised to stay informed about emerging supply chain threats and to participate in threat intelligence sharing communities. Regular training and awareness programs for developers and DevOps personnel can further reduce the risk of inadvertently introducing malicious dependencies.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate risks across their entire digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and address vulnerabilities, ensuring resilience against evolving cyber threats. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.
