Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit until the latter part of this decade.

Socket’s researchers identified nine malicious packages on the .NET package manager containing destructive code due to trigger between 2027 and 2028, with one affecting “safety-critical systems in manufacturing environments.”

Of the 12 packages published by the NuGet user shanhai666 between 2023 and 2024, nine contained malicious code and have been downloaded nearly 10,000 times.

Notably, the packages are comprised of genuinely useful code serving legitimate purposes. Kush Pandya, security engineer at Socket, said 99 percent of the code among these packages was benign, which serves as a trust-builder.

He wrote: “This legitimate functionality serves multiple purposes: it builds trust as packages work as advertised, passes code reviews where reviewers see familiar patterns and real implementations, provides actual value encouraging adoption, masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks.”

Some of these packages targeted major database providers (SQL Server, PostgreSQL, and SQLite). After the trigger dates, set years in the future, users querying a database would have a 20 percent probability of terminating the host application process.

Pandya said that the most damaging of the nine packages, Sharp7Extend, targets the Siemens S7 programmable logic controllers (PLCs) typically used in manufacturing.

Siemens commands a large market share in the PLC space, with some reporting a dominant 15-20 percent market share, and its S7 products are among its most widely used.

The extension aims to trick users into thinking it is affiliated with the genuine Sharp7 package, using a touch of typosquatting to suggest it provides more features than the original.

Sharp7Extend provides all the same functionality as Sharp7 with the addition of a few lines of malicious code – enough to achieve the attackers’ goals without arousing suspicion in code reviews.

The packages targeting databases are set to trigger in the future. One of the SQL Server malware strains activates on August 8, 2027, whereas the packages targeting PostgreSQL, SQLite, and other SQL Server implementations activate on November 29, 2028.

• Invisible npm malware pulls a disappearing act – then nicks your tokens
• ‘Keep Android Open’ movement fights back against Google sideloading restrictions
• One line of malicious npm code led to massive Postmark email heist
• You’ll never guess what the most common passwords are. Oh, wait, yes you will
• Self-propagating worm fuels latest npm supply chain compromise

Pandya did not provide an explanation for why these specific dates were chosen, other than that they were set in the future, which allows the attackers to build a number of trusted victims before executing the malicious code.

Sharp7Extend was programmed differently in that it does not have a delayed fuse. Downloaded more than 2,000 times according to Socket, the extension’s malicious code is activated immediately upon installation, but ceases to execute after June 6, 2028.

Also unlike the database packages, Sharp7Extend has two different mechanisms for industrial sabotage.

The first involves code triggering on every Siemens S7 communication operation, but only executes the malicious logic with a 20 percent probability. Successful execution results in the application terminating completely. The other, which could lead to safety issues in industrial settings, features a time delay, but only for a random duration between 30 and 90 minutes rather than several years.

After the initial grace period, a time the attacker seemingly believes is enough to establish trust in the extension, Sharp7Extend then embarks on a data corruption mission, forcing critical commands to fail 80 percent of the time.

Pandya said this could lead to safety systems failing to engage, actuators not receiving instructions, and other consequences.

Both mechanisms run at the same time, which means those who install Sharp7Extend are subject to random crashes and failed commands.

For manufacturing organizations, which Socket said typically execute 10 communications operations per minute, this could lead to crashes and system failures within 30 seconds of installing the extension.

This time drops to 6 seconds in healthcare settings and around 3 seconds in e-commerce.

Socket said it was working with NuGet to get the packages removed from the platform when it published its findings on Thursday, although at the time of writing the packages have all been taken down.

Pandya said that the developers who installed the database packages in 2024 would likely have moved to different projects and/or companies by the time the malicious logic activates, making incident response “nearly impossible,” due to the difficulties in tracing back who introduced the code to a production environment.

“Organizations must audit dependencies for the nine malicious packages immediately and assume any system with these packages is fully compromised. Industrial control systems running Sharp7Extend may already be experiencing intermittent failures masquerading as PLC communication issues.” ®