Redazione RHC : 10 November 2025 15:56
Researchers discovered several libraries in the public NuGet registry containing code that will be activated in 2027 and 2028. The infected packages target three popular .NET data storage engines (Microsoft SQL Server, PostgreSQL, and SQLite) , and one component is specifically disguised as a library to work with Siemens S7 controllers.
Socket analysts found nine packages posted by the shanhai666 account. At first glance, the libraries appeared to function normally: almost all of the code ( about 99% ) performed useful functions, so the developers might not have noticed anything suspicious. However, each library contained a small piece of malicious logic , a module of about 20 lines, embedded in standard application calls.
The injection technique relies on C# extension methods. These extensions execute whenever a database operation is called or during PLC interaction, allowing the malicious block to be inserted into the execution flow without modifying the application interfaces.
Internally, the system date is checked: if it falls within a strictly defined range ( August 8, 2027 to November 29, 2028) , a random number generator between 1 and 100 is started. If the value is higher than 80 (about 20% of the time), Process.GetCurrentProcess().Kill() is called, which immediately terminates the current process.
For server applications and services with frequent transactions, this behavior results in sudden service failures and interruptions in request processing . In industrial systems, similar logic can disrupt communication with equipment and disable critical control nodes .
A separate risk is posed by the Sharp7Extend package, which masquerades as an extension to the popular Sharp7 library, a .NET solution for communicating with Siemens S7 PLCs. The attacker deliberately used a similar name, hoping that developers would find it while searching for ” enhancements ” for Sharp7 . This replacement library implements two different attack methods.
The first scheme involves immediate session termination: when a transaction function is called, a forced termination occurs in 20% of cases, interrupting communication with the controller. This mode is valid until June 6, 2028. The second scheme is more complex: the module attempts to read a non-existent configuration value, interrupting initialization. A write filter is then activated and an artificial delay of 30 to 90 minutes is set. After the specified interval, parameters being written that fall within the filter have an 80% probability of being corrupted. The consequences are that actuators do not receive commands, setpoints are not updated, protection systems fail, and process parameters remain unchanged or assume incorrect values.
The combination of immediate process disruption and delayed damage makes the attack multi-stage: first, monitoring and communication are disrupted, then a hidden error is introduced into the control logic, which later manifests itself and causes security and process errors.
At the time of publication, researchers noted that the shanhai666 account initially hosted 12 packages, but only nine included the malicious payload . After a massive download (approximately 9,500), these accounts and packages were removed from the catalog. However, the risk remains: projects that have already accepted these dependencies could be compromised when the triggers are activated.
Here are some practical tips for development teams and industrial network operators. First, immediately review the list of all dependencies and check for the following packages: SqlUnicorn.Core, SqlDbRepository, SqlLiteRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlRepository, MyDbRepository, MCDbRepository, and Sharp7Extend .
If a match is found, uninstall the component, roll back to a safe build, and restore your applications from a verified backup. Second, inventory your downloads and builds to ensure your build toolchain hasn’t picked up any infected versions.
The report’s authors emphasize that the campaign’s motives and origins are still unknown, but the execution itself demonstrates a well-crafted attack on the software supply chain. A small malicious fragment embedded in trusted libraries could cause serious disruptions to both IT infrastructure and industrial production if urgent measures are not taken to detect and mitigate the threat.
Redazione