Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware
Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware
https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
Publish Date: 2026-02-25 07:43:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.
The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.
The names of the packages are listed below –
- NCryptYo
- DOMOAuth2_
- IRAOAuth2.0
- SimpleWriter_
The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.
According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It’s worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.
DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility. An analysis of package metadata has revealed identical build environments, indicating that the campaign is the work of a single threat actor.
“NCryptYo is a stage-1 execution-on-load dropper,” security researcher Kush Pandya said. “When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary – a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker’s external C2 server, whose address is resolved dynamically at runtime.”
Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin…
