{"id":217302,"date":"2026-02-25T07:43:00","date_gmt":"2026-02-25T12:43:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/25\/malicious-nuget-packages-stole-asp-net-data-npm-package-dropped-malware\/"},"modified":"2026-02-25T10:40:09","modified_gmt":"2026-02-25T15:40:09","slug":"malicious-nuget-packages-stole-asp-net-data-npm-package-dropped-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/25\/malicious-nuget-packages-stole-asp-net-data-npm-package-dropped-malware\/","title":{"rendered":"Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/malicious-nuget-packages-stole-aspnet.html\">Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/malicious-nuget-packages-stole-aspnet.html\">https:\/\/thehackernews.com\/2026\/02\/malicious-nuget-packages-stole-aspnet.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-25 07:43:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Feb 25, 2026<\/span><\/span><span class=\"p-tags\">Cybersecurity \/ Malware<\/span><\/p>\n<p>Cybersecurity researchers have discovered four malicious NuGet packages that are designed to target ASP.NET web application developers to steal sensitive data.<\/p>\n<p>The campaign, discovered by Socket, exfiltrates ASP.NET Identity data, including user accounts, role assignments, and permission mappings, as well as manipulates authorization rules to create persistent backdoors in victim applications.<\/p>\n<p>The names of the packages are listed below &#8211;<\/p>\n<ul>\n<li>NCryptYo<\/li>\n<li>DOMOAuth2_<\/li>\n<li>IRAOAuth2.0<\/li>\n<li>SimpleWriter_<\/li>\n<\/ul>\n<p>The NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been taken down from the repository following responsible disclosure, but not before attracting more than 4,500 downloads.<\/p>\n<p>According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It&#8217;s worth noting that NCryptYo attempts to masquerade as the legitimate NCrypto package.<\/p>\n<p>DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility. An analysis of package metadata has revealed identical build environments, indicating that the campaign is the work of a single threat actor.<\/p>\n<p>&#8220;NCryptYo is a stage-1 execution-on-load dropper,&#8221; security researcher Kush Pandya said. &#8220;When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary &#8211; a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker&#8217;s external C2 server, whose address is resolved dynamically at runtime.&#8221;<\/p>\n<p>Once the proxy is active, DOMOAuth2_ and IRAOAuth2.0 begin&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/malicious-nuget-packages-stole-aspnet.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware https:\/\/thehackernews.com\/2026\/02\/malicious-nuget-packages-stole-aspnet.html Publish Date: 2026-02-25 07:43:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":217303,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjE-bjDoQWaHQbmh17EY0EzAbNkQxh3AHTCEBNjNpdXsBeuuuHPycl9tIzC9msasA7ZwhewkuMMk-MAJvrV5EVSgOrn8FdHnAxdkiGA1YRNL4pHJ3QUSoreUf6d9VIRagp9oi26XKEYgsdon3wDf81fE5mjkq8yJmhC2wSkIK3emLP_xHvAJ2eC3uanvXEW\/s16000\/coding.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,34],"class_list":["post-217302","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217302"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=217302"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217302\/revisions"}],"predecessor-version":[{"id":217304,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217302\/revisions\/217304"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/217303"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=217302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=217302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=217302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}