NuGet Sabotage: Time-Delayed Logic in 9 Packages Risks Total App Destruction on Hardcoded Dates
Ddos 
Same alias different author names, and forged signature for various packages | Image: Socket
A sophisticated supply-chain attack has been uncovered in the NuGet package registry, where nine packages published under the alias shanhai666 are designed to execute destructive, time-delayed payloads against database applications and industrial control systems. Socket’s Threat Research Team identified the packages, which were published between 2023 and 2024 and have accumulated 9,488 downloads.
Each malicious package in the campaign provides nearly all of its advertised functionality, blending genuine code with hidden sabotage. Socket’s analysis revealed that 99% of the codebase was legitimate, implementing well-known enterprise patterns like Repository, Unit of Work, and ORM reflection mapping.
“This legitimate functionality serves multiple purposes: it builds trust as packages work as advertised, passes code reviews where reviewers see familiar patterns and real implementations, provides actual value encouraging adoption, masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery.”
The result is that these packages appear professional, functional, and reliable — until they suddenly destroy themselves or silently sabotage data integrity.
At the technical core of the campaign is an extension method injection pattern, where the attacker leverages C# extension methods to inject malicious logic into existing APIs.
“The malware exploits C# extension methods to transparently inject malicious logic into every database and PLC operation,” Socket explained. “Extension methods allow developers to add new methods to existing types without modifying the original code — a powerful C# feature that the threat actor weaponizes for interception.”
Two methods, .Exec() for database operations and .BeginTran() for PLC communications, were added across all malicious packages. These methods appear benign but contain conditional triggers that can terminate applications or corrupt data based on specific dates and probabilities.
Socket researchers found that most malicious packages include hardcoded trigger dates—such as August 8, 2027 and November 29, 2028—after which they begin terminating host processes at random.
“Each time an application executes a database query or PLC operation, these extension methods automatically execute… After the trigger date passes, the malware generates a random number between 1 and 100. If the number exceeds 80—a 20% probability—the malware calls Process.GetCurrentProcess().Kill(), immediately terminating the entire application.”
Although a 20% trigger rate sounds low, Socket notes that applications making hundreds of database calls per minute will crash almost immediately once the date condition is met. For high-throughput systems, this equates to total service disruption in seconds.
“Production applications executing hundreds of queries per hour will crash within seconds,” the report warned.
- “E-commerce (100 queries/min): ~3 seconds → mid-checkout failures
- Healthcare (50 queries/min): ~6 seconds → critical system outages
- Financial (500 queries/min): <1 second → complete platform failure
- Manufacturing (10 ops/min, Sharp7Extend): ~30 seconds → production crashes plus 80% silent write failures compromising safety systems”
The most sophisticated package, Sharp7Extend, targets industrial automation systems by mimicking a legitimate .NET library for Siemens S7 programmable logic controllers (PLCs).
“The Sharp7Extend package specifically targets users of the legitimate Sharp7 library… By appending ‘Extend’ to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements.”
To conceal its malicious intent, Sharp7Extend bundles the real Sharp7 library (version 1.1.79) alongside its own malicious code. This ensures that all standard PLC communications work perfectly during testing—while the hidden extensions quietly prepare to attack.
Socket identified two destructive mechanisms in Sharp7Extend:
- Random Process Termination — The malware terminates the process with 20% probability on every PLC connection until June 6, 2028.
- Silent Data Corruption — After a 30–90 minute grace period, the package begins causing 80% of write operations to fail silently.
This two-phase sabotage makes debugging extremely difficult. Initial crashes seem random, while subsequent data corruption appears as “hardware faults,” allowing the malware to persist undetected in production environments.
To increase adoption, the shanhai666 actor also published three legitimate packages alongside the nine malicious ones to build a history of credible contributions on NuGet.
“Developers researching the author find genuine, working packages alongside the malicious ones, reducing suspicion,” Socket noted. “The malicious packages strategically target all three major database providers used in .NET applications — SQL Server, PostgreSQL, SQLite — plus industrial control systems.”
The attacker even forged .nuspec author fields to display different names across packages, a tactic to evade reputation-based security scanning.
Several clues point toward a possible Chinese origin for the campaign. Socket’s analysis revealed Chinese-language comments embedded in the DLLs, such as “出现异常” (exception occurred) and “连接失败” (connection failed). The alias “shanhai666” itself appears to derive from Chinese, translating to “mountains and seas”, with “666” being Chinese internet slang for “excellent” or “smooth.”
Socket has reported all malicious packages to NuGet, which confirmed that it is investigating and working on removal. However, as of Socket’s publication, the packages remained live on the registry.
Donate