(Image credit: Shutterstock)

• Socket found nine NuGet packages with delayed sabotage targeting industrial control systems
• Sharp7Extend can corrupt Siemens S7 PLCs and randomly crash host processes
• Malicious code activates in 2027–2028; users urged to audit and remove affected packages

Thousands of critical infrastructure organizations, as well as those working in other, equally important verticals, were targeted by a perfidious attack that sought to sabotage their industrial control devices (ICD) two years down the line, experts have discovered.

Cybersecurity researchers Socket recently found nine packages on NuGet that contained sabotage payloads set to activate in 2027 and 2028, if certain conditions were met.

NuGet is the package manager for .NET, providing open source .NET libraries which software developers can easily integrate in their projects.

Thousands of victims

According to Socket, the packages targeted all three major database providers used in .NET applications - SQL Server, PostgreSQL, and SQLite, adding that the most dangerous one is Sharp7Extend. This package targets Sharp7 library users.

“By appending “Extend” to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements,“ Socket explained.

The account that was hosting them is shanhai666 and, according to BleepingComputer, has had all of these delisted in the meantime. Before that happened, the packages managed to rake up almost 10,000 downloads.

While almost all of the code in the packages (99%) was clean, that 1% could prove fatal. It was written to run whenever the app talks to databases, or Siemens S7 PLCs.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Siemens S7 industrial control devices can usually be found in manufacturing plants, energy and utilities, oil, gas, and chemical industries, building automation, and transportation.

The payload is triggered only between August 8, 2027, and November 29, 2028, and does two destructive things: randomly kills the host process 20% of the time (causing immediate stops) and, in the Sharp7Extend package, either breaks initialization and/or, after a 90-minute delay, corrupts PLC write commands with an 80% chance.

Who uploaded these packages and to what end, remains a mystery. Users are advised to audit their assets for the packages and remove them immediately.

Here is the full list of malicious packages discovered so far:

SqlUnicorn.Core qlDbRepository SqlLiteRepository SqlUnicornCoreTest SqlUnicornCore SqlRepository MyDbRepository MCDbRepository Sharp7Extend

*Via *BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.