Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Zerowl

February 25, 2026

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Four malicious NuGet packages that target ASP.NET web application developers in an attempt to steal confidential information have been found by cybersecurity researchers. The campaign, which Socket found, manipulates authorization rules to establish persistent backdoors in victim applications and exfiltrates ASP.NET Identity data, such as user accounts, role assignments, and permission mappings. The packages are named as follows: NCryptYo DOMOAuth2_ IRAOAuth2.0 SimpleWriter_ A user by the name of hamzazaheer published the NuGet packages to the repository between August 12 and August 21, 2024.

After responsible disclosure, they were later removed from the repository, but not before receiving over 4,500 downloads.

The software supply chain security firm claims that NCryptYo functions as a first-stage dropper, setting up a local proxy on localhost:7152 to route traffic to a command-and-control (C2) server under the attacker's control, whose address is dynamically retrieved during runtime. As part of the Mythic C2 framework, it retrieves another script on macOS that uses osascript to run JavaScript and drops Apfell, a JavaScript for Automation (JXA) agent that can perform reconnaissance, take screenshots, steal information from Google Chrome, and obtain system passwords by posing as a prompt. According to the company, "it targets developers on Windows, Linux, and macOS hosts, and uses multiple techniques to evade detection, and drops open-source malware with advanced capabilities."

To try to blend in with legitimate traffic and exploit the fact that trusted services are less likely to be blocked within corporate networks, the attacker exfiltrates the data to a Yandex Cloud domain after it has been collected. Eslint-verify-plugin, another rogue npm package that JFrog recently identified as dropping Mythic agents Poseidon and Apfell on Linux and macOS systems, is thought to be more developed than Ambar-src. Tenable stated, "A computer system must be deemed completely compromised if this package is installed or operating on it."

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs