Vulnerable NuGet Packages That Steal ASP.NET Data; npm Package Dropped Malware
Cybersecurity researchers discovered four malicious NuGet packages designed to target ASP.NET web application developers to steal sensitive data.
The campaign, discovered by Socket, extracts ASP.NET Identity data, including user accounts, role assignments, and permission logging, and manipulates authorization rules to create persistent backdoors to victim applications.
The names of the packages are listed below –
- NCryptYo
- DOMOAuth2_
- IRAOuth2.0
- SimpleWriter_
NuGet packages were published to the repository between August 12 and 21, 2024, by a user named hamzazaheer. They have since been demoted following a responsible disclosure, but not before attracting over 4,500 downloads.
According to the software supply chain security company, NCryptYo acts as a first-stage dropper that establishes a local proxy at localhost:7152 that forwards traffic to an attacker-controlled command-and-control (C2) server whose address is returned dynamically at runtime. It is worth noting that NCryptYo tries to pretend to be an official NCrypto package.
DOMOAuth2_ and IRAOAuth2.0 steal Identity data and background applications, while SimpleWriter_ installs unconditional files and hidden process capabilities while presenting itself as a PDF conversion tool. An analysis of the package’s metadata revealed similar build locations, indicating that the campaign is the work of a single threat actor.
“NCryptYo is the first step to kill-on-load,” said security researcher Kush Pandya. “When the assembly loads, its static constructor inserts JIT compilation hooks that decrypt the embedded payload and issue a stage-2 binary – a localhost proxy on port 7152 that forwards traffic between companion packages and the attacker’s external C2 server, whose address is dynamically resolved at runtime.”
Once the proxy is up and running, DOMOAuth2_ and IRAOAuth2.0 start passing ASP.NET Identity data through the local proxy to the external infrastructure. The C2 server responds with authorization rules that are then processed by the application to create a persistent backdoor by granting itself administrative roles, changing access controls, or disabling security checks. SimpleWriter_, on the other hand, writes malicious character-controlled content to disk and uses the downloaded binary with hidden windows.
It is not clear how users are tricked into downloading these packages, as the attack chain only enters after four of them are installed.
“The purpose of the campaign is not to directly compromise the engineers’ machine, but to compromise the systems they are building,” explained Pandya. “By controlling the authorization layer during development, a threat actor gains access to deployed production applications.”
“When a victim executes their ASP.NET application with a malicious dependency, the C2 infrastructure remains active in production, continuously extracting authorization data and accepting modified authorization rules. A threat actor or consumer can give themselves administrative level access to any instance deployed.”
The disclosure comes as Tenable disclosed details of a malicious npm package called mbar-src that accumulated more than 50,000 downloads before being removed from the JavaScript registry. Uploaded to npm on February 13, 2026.
The package uses an npm pre-installation script hook to trigger the execution of malicious code contained in index.js during its installation. The malware is designed to run a single line command that finds various payloads in the domain “x-ya[.]ru” based on the operating system –
- On Windows, it downloads and executes a file called msinit.exe that contains the encrypted shellcode, which is decoded and loaded into memory.
- On Linux, it downloads the bash script and executes it. The bash script then returns another payload from the same server, an ELF binary running as an SSH-based shell client.
- On macOS, it downloads another script that uses osascript to run JavaScript responsible for dropping Apfell, a JavaScript for Automation (JXA) agent that is part of the Mythic C2 framework that can also inspect, collect screenshots, steal data from Google Chrome, and capture system passwords by displaying fake information.
“It uses multiple techniques to avoid detection, and mitigate open-source malware with advanced capabilities, targeting developers for Windows, Linux, and macOS hosts,” the company said.
Once the data is collected, it is exported to the attacker’s Yandex Cloud domain in an attempt to intercept legitimate traffic and take advantage of the fact that trusted services are less likely to be blocked within corporate networks.
Ambar-src is being tested as a mature variant of eslint-verify-plugin, another robust npm package recently flagged by JFrog as dropping Mythic agents Poseidon and Apfell on Linux and macOS systems.
“If this package is installed or running on a computer, that program should be considered completely vulnerable,” Tenable said. “Although the package should be removed, please note that because an outside entity may have gained full control of the computer, removing the package does not guarantee the removal of all malicious software.”
