Cybercrims plant destructive time bomb malware in industrial .NET extensions
(2025/11/07)
- Reference: 1762529182
- News link: https://www.theregister.co.uk/2025/11/07/cybercriminals_plant_destructive_time_bomb/
- Source link:
Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit until the latter part of this decade.
Socket's researchers identified nine malicious packages on the .NET package manager containing destructive code due to trigger between 2027 and 2028, with one affecting "safety-critical systems in manufacturing environments."
Of the 12 packages published by the NuGet user shanhai666 between 2023 and 2024, nine contained malicious code and have been downloaded nearly 10,000 times.
[1]
Notably, the packages are comprised of genuinely useful code serving legitimate purposes. Kush Pandya, security engineer at Socket, said 99 percent of the code among these packages was benign, which serves as a trust-builder.
[2]
[3]
He [4]wrote : "This legitimate functionality serves multiple purposes: it builds trust as packages work as advertised, passes code reviews where reviewers see familiar patterns and real implementations, provides actual value encouraging adoption, masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks."
Some of these packages targeted major database providers (SQL Server, PostgreSQL, and SQLite). After the trigger dates, set years in the future, users querying a database would have a 20 percent probability of terminating the host application process.
[5]
Pandya said that the most damaging of the nine packages, Sharp7Extend, targets the Siemens S7 [6]programmable logic controllers (PLCs) typically used in manufacturing.
Siemens commands a large market share in the PLC space, with some [7]reporting a dominant 15-20 percent market share, and its S7 products are among its most widely used.
The extension aims to trick users into thinking it is affiliated with the genuine Sharp7 package, using a touch of typosquatting to suggest it provides more features than the original.
[8]
Sharp7Extend provides all the same functionality as Sharp7 with the addition of a few lines of malicious code – enough to achieve the attackers' goals without arousing suspicion in code reviews.
The packages targeting databases are set to trigger in the future. One of the [9]SQL Server malware strains activates on August 8, 2027, whereas the packages targeting [10]PostgreSQL , [11]SQLite , and other SQL Server implementations activate on November 29, 2028.
[12]Invisible npm malware pulls a disappearing act – then nicks your tokens
[13]'Keep Android Open' movement fights back against Google sideloading restrictions
[14]One line of malicious npm code led to massive Postmark email heist
[15]You'll never guess what the most common passwords are. Oh, wait, yes you will
[16]Self-propagating worm fuels latest npm supply chain compromise
Pandya did not provide an explanation for why these specific dates were chosen, other than that they were set in the future, which allows the attackers to build a number of trusted victims before executing the malicious code.
Sharp7Extend was programmed differently in that it does not have a delayed fuse. Downloaded more than 2,000 times according to Socket, the extension's malicious code is activated immediately upon installation, but ceases to execute after June 6, 2028.
Also unlike the database packages, Sharp7Extend has two different mechanisms for industrial sabotage.
The first involves code triggering on every Siemens S7 communication operation, but only executes the malicious logic with a 20 percent probability. Successful execution results in the application terminating completely. The other, which could lead to safety issues in industrial settings, features a time delay, but only for a random duration between 30 and 90 minutes rather than several years.
After the initial grace period, a time the attacker seemingly believes is enough to establish trust in the extension, Sharp7Extend then embarks on a data corruption mission, forcing critical commands to fail 80 percent of the time.
Pandya said this could lead to safety systems failing to engage, actuators not receiving instructions, and other consequences.
Both mechanisms run at the same time, which means those who install Sharp7Extend are subject to random crashes and failed commands.
For [17]manufacturing organizations, which Socket said typically execute 10 communications operations per minute, this could lead to crashes and system failures within 30 seconds of installing the extension.
This time drops to 6 seconds in [18]healthcare settings and around 3 seconds in [19]e-commerce .
Socket said it was working with NuGet to get the packages removed from the platform when it published its findings on Thursday, although at the time of writing the packages have all been taken down.
Pandya said that the developers who installed the database packages in 2024 would likely have moved to different projects and/or companies by the time the malicious logic activates, making incident response "nearly impossible," due to the difficulties in tracing back who introduced the code to a production environment.
"Organizations must audit dependencies for the nine malicious packages immediately and assume any system with these packages is fully compromised. Industrial control systems running Sharp7Extend may already be experiencing intermittent failures masquerading as PLC communication issues." ®
Get our [20]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2022/07/18/password-sality-malware/
[7] https://www.futuremarketinsights.com/reports/micro-and-nano-plc-market
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/11/19/microsoft_sql_server_2025/
[10] https://www.theregister.com/2025/09/04/postgresql_18/
[11] https://www.theregister.com/2024/11/05/google_ai_vulnerability_hunting/
[12] https://www.theregister.com/2025/10/30/phantomraven_npm_malware/
[13] https://www.theregister.com/2025/10/29/keep_android_open_movement/
[14] https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/
[15] https://www.theregister.com/2025/11/06/most_common_passwords/
[16] https://www.theregister.com/2025/09/16/npm_under_attack_again/
[17] https://www.theregister.com/2025/05/20/foxconn_chair_ai_manufacturing_predictions/
[18] https://www.theregister.com/2025/10/01/nhs_online/
[19] https://www.theregister.com/2025/11/05/amazon_perplexity_comet_legal_threat/
[20] https://whitepapers.theregister.com/
Socket's researchers identified nine malicious packages on the .NET package manager containing destructive code due to trigger between 2027 and 2028, with one affecting "safety-critical systems in manufacturing environments."
Of the 12 packages published by the NuGet user shanhai666 between 2023 and 2024, nine contained malicious code and have been downloaded nearly 10,000 times.
[1]
Notably, the packages are comprised of genuinely useful code serving legitimate purposes. Kush Pandya, security engineer at Socket, said 99 percent of the code among these packages was benign, which serves as a trust-builder.
[2]
[3]
He [4]wrote : "This legitimate functionality serves multiple purposes: it builds trust as packages work as advertised, passes code reviews where reviewers see familiar patterns and real implementations, provides actual value encouraging adoption, masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks."
Some of these packages targeted major database providers (SQL Server, PostgreSQL, and SQLite). After the trigger dates, set years in the future, users querying a database would have a 20 percent probability of terminating the host application process.
[5]
Pandya said that the most damaging of the nine packages, Sharp7Extend, targets the Siemens S7 [6]programmable logic controllers (PLCs) typically used in manufacturing.
Siemens commands a large market share in the PLC space, with some [7]reporting a dominant 15-20 percent market share, and its S7 products are among its most widely used.
The extension aims to trick users into thinking it is affiliated with the genuine Sharp7 package, using a touch of typosquatting to suggest it provides more features than the original.
[8]
Sharp7Extend provides all the same functionality as Sharp7 with the addition of a few lines of malicious code – enough to achieve the attackers' goals without arousing suspicion in code reviews.
The packages targeting databases are set to trigger in the future. One of the [9]SQL Server malware strains activates on August 8, 2027, whereas the packages targeting [10]PostgreSQL , [11]SQLite , and other SQL Server implementations activate on November 29, 2028.
[12]Invisible npm malware pulls a disappearing act – then nicks your tokens
[13]'Keep Android Open' movement fights back against Google sideloading restrictions
[14]One line of malicious npm code led to massive Postmark email heist
[15]You'll never guess what the most common passwords are. Oh, wait, yes you will
[16]Self-propagating worm fuels latest npm supply chain compromise
Pandya did not provide an explanation for why these specific dates were chosen, other than that they were set in the future, which allows the attackers to build a number of trusted victims before executing the malicious code.
Sharp7Extend was programmed differently in that it does not have a delayed fuse. Downloaded more than 2,000 times according to Socket, the extension's malicious code is activated immediately upon installation, but ceases to execute after June 6, 2028.
Also unlike the database packages, Sharp7Extend has two different mechanisms for industrial sabotage.
The first involves code triggering on every Siemens S7 communication operation, but only executes the malicious logic with a 20 percent probability. Successful execution results in the application terminating completely. The other, which could lead to safety issues in industrial settings, features a time delay, but only for a random duration between 30 and 90 minutes rather than several years.
After the initial grace period, a time the attacker seemingly believes is enough to establish trust in the extension, Sharp7Extend then embarks on a data corruption mission, forcing critical commands to fail 80 percent of the time.
Pandya said this could lead to safety systems failing to engage, actuators not receiving instructions, and other consequences.
Both mechanisms run at the same time, which means those who install Sharp7Extend are subject to random crashes and failed commands.
For [17]manufacturing organizations, which Socket said typically execute 10 communications operations per minute, this could lead to crashes and system failures within 30 seconds of installing the extension.
This time drops to 6 seconds in [18]healthcare settings and around 3 seconds in [19]e-commerce .
Socket said it was working with NuGet to get the packages removed from the platform when it published its findings on Thursday, although at the time of writing the packages have all been taken down.
Pandya said that the developers who installed the database packages in 2024 would likely have moved to different projects and/or companies by the time the malicious logic activates, making incident response "nearly impossible," due to the difficulties in tracing back who introduced the code to a production environment.
"Organizations must audit dependencies for the nine malicious packages immediately and assume any system with these packages is fully compromised. Industrial control systems running Sharp7Extend may already be experiencing intermittent failures masquerading as PLC communication issues." ®
Get our [20]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2022/07/18/password-sality-malware/
[7] https://www.futuremarketinsights.com/reports/micro-and-nano-plc-market
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQ4lpD1V_92EvQB8faDqJAAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/11/19/microsoft_sql_server_2025/
[10] https://www.theregister.com/2025/09/04/postgresql_18/
[11] https://www.theregister.com/2024/11/05/google_ai_vulnerability_hunting/
[12] https://www.theregister.com/2025/10/30/phantomraven_npm_malware/
[13] https://www.theregister.com/2025/10/29/keep_android_open_movement/
[14] https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/
[15] https://www.theregister.com/2025/11/06/most_common_passwords/
[16] https://www.theregister.com/2025/09/16/npm_under_attack_again/
[17] https://www.theregister.com/2025/05/20/foxconn_chair_ai_manufacturing_predictions/
[18] https://www.theregister.com/2025/10/01/nhs_online/
[19] https://www.theregister.com/2025/11/05/amazon_perplexity_comet_legal_threat/
[20] https://whitepapers.theregister.com/
Natalie Gritpants Jr
Possibly a plausible deniability cover for an insider saboteur. Claim stupidity if caught, rather than having to explain why you installed the malware from a USB stick found in your pocket.
Anonymous Coward
Nah, I've seen plenty of developers, both professional and hobbyist, use the most arbitrary, obscure libraries possible, in most every mainstream language. I don't know why. Some people just seem to look something up and then go to like the 3rd page of the search results and use that. I just chock it up to being a form of Hyrum's Law, or something like that.
VoiceOfTruth
I didn't see a breakdown for downloads of each package. On the surface, these numbers are indeed small. But if somebody is targeting PLCs, that is a much smaller but more specific target than, say, another web forum with a database backend. I would expect the numbers to be lower.
It also means those who downloaded these extensions most likely did not check them. Yet more cases of blindly trusting somebody else's code.
Anonymous Coward
Huh, funny, you'd think Microsoft would have an AI scan for this kind of thing. I guess that application would be too useful. Gotta save all those resources for the Windows Settings AI that tells you how to change your wallpaper by using more water than an african village consumes in a week.
Pandya did not provide an explanation for why these specific dates were chosen
Like a badger
https://www.theguardian.com/world/2025/mar/20/china-landing-barges-shuqiao-ships-what-does-this-mean-for-taiwan
Nah, it's just coincidence.
Those are some very low download figures for a NuGet package and a sketchy user name. I would not have considered any of them even if they provided a feature I was looking for.
Particularly for database libraries you expect downloads in the millions and a company or well known person in the community as the publisher.