NuGet Package Exploit Steals Login Credentials From ASP.NET Developers

A sophisticated supply chain attack that targets ASP.NET developers was recently discovered by Socket's Threat Research Team This article explores packages used attack. . Four malicious NuGet packages are used in this attack, which aims to create persistent backdoors within impacted applications and exfiltrate sensitive login credentials.

The campaign uses a multi-stage payload, which includes the credential-harvesting packages DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ after the NCryptYo dropper. Since their August 2024 release, the malicious packages have been downloaded more than 4,500 times. By imitating the genuine NCrypto package, the lead package, NCryptYo, uses typosquatting to pass as a cryptography library.

Before the package could run, Socket's AI Scanner detected Ncryptyo's typosquatting pattern, non-functional public API, JIT compiler hooking, and multi-stage dropper architecture (Source: socket). By blocking malicious packages and preventing compromised dependencies from entering production environments, Socket's security solutions, such as the Socket CLI and Socket Firewall, offer layers of defense against this kind of attack. Organizations can strengthen their defenses against changing supply chain threats by integrating these tools into development workflows.