Malicious NuGet Packages Weaponize ASP.NET Identity for Production Backdoors
Do Son 
Developers themselves are increasingly the primary target for cybercriminals, a new supply chain attack has been uncovered lurking within the NuGet ecosystem. According to a new report, threat actors have deployed a cluster of malicious packages designed not just to infect developers’ machines, but to silently weave backdoors into the very fabric of the enterprise applications they are building.
“Socket’s Threat Research Team discovered a NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers.” — Socket Threat Research Team
The campaign, orchestrated by a threat actor operating under the handle hamzazaheer, managed to accumulate over 4,500 downloads before takedown requests were initiated. The attack relies on a multi-stage payload spread across four distinct packages: NCryptYo, DOMOAuth2, IRAOAuth2.0, and SimpleWriter_adds.
The initial vector for this campaign relies on developer fatigue and typosquatting. The lead package, NCryptYo, is designed to trick developers who are looking for the legitimate NCrypto cryptography library.
However, the attackers took this deception a step further, engineering what researchers call a “three-layer naming attack.”
“The lead package NCryptYo masquerades as a cryptography library through deliberate typosquatting of the legitimate NCrypto package… The threat actor created a three-layer naming attack: the package name targets NCrypto, the DLL filename NCrypt.dll mimics Windows’ CNG cryptography provider… and the namespace NCrypt matches Microsoft’s cryptography APIs.” — Socket Threat Research Team
Despite this elaborate disguise, the package contains no actual cryptographic functions. Instead, it acts as a stage-1 dropper, quietly establishing a local proxy on localhost:7152 while its public methods return nothing but null.
Once the initial dropper is in place, the companion packages (DOMOAuth2 and IRAOAuth2.0) go to work on the application’s identity and access management framework.
These packages are designed to exfiltrate highly sensitive ASP.NET Identity data, including user accounts, role assignments, and permission mappings. Worse, they communicate with a Command and Control (C2) server that can inject arbitrary, modified permission data back into the application.
By manipulating the Message.Data field, the attackers create a persistent backdoor in the application’s authorization system, allowing them to grant themselves administrative roles or disable security checks entirely.
Meanwhile, the SimpleWriter_adds package provides the attackers with unconditional file-writing capabilities and the ability to execute hidden processes, cementing their control over the compromised environment.
The attackers are playing a patient game, using the developer purely as a conduit to reach the final production environment.
“The campaign’s objective is not to compromise the developer’s machine directly, but to compromise the applications they build. By controlling the authorization layer during development, the threat actor gains access to deployed production applications.” — Socket Threat Research Team
When a victim unwittingly deploys their ASP.NET application containing these malicious dependencies, the C2 infrastructure remains fully active in the live production environment. The threat actors—or whoever they sell the access to—can then waltz into the deployed instance with full administrative privileges.
This campaign highlights the critical need for robust dependency scanning and software bill of materials (SBOM) auditing in modern development pipelines. Trusting the package registry is no longer enough.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
