- Socket found nine NuGet packages with delayed sabotage targeting industrial control systems
- Sharp7Extend can corrupt Siemens S7 PLCs and crash host processes randomly
- Malicious code activates in 2027-2028; users are prompted to audit and remove affected packages
Thousands of critical infrastructure organizations, as well as those working in other equally important verticals, were targeted by a treacherous attack aimed at sabotaging their industrial control devices (ICDs) two years later, experts have found.
Socket cybersecurity researchers recently discovered nine packages on NuGet containing sabotage payloads that are expected to activate in 2027 and 2028, if certain conditions are met.
NuGet is the package manager for .NET, providing open source .NET libraries that software developers can easily integrate into their projects.
Thousands of victims
According to Socket, the packages targeted the three main database providers used in .NET applications: SQL Server, PostgreSQL and SQLite, adding that the most dangerous was Sharp7Extend. This package targets users of the Sharp7 library.
“By adding ‘Extend’ to the Sharp7 trusted name, the threat actor exploits developers looking for Sharp7 extensions or enhancements,” Socket explained.
The account that hosted them is shanhai666 and, according to BeepComputerhas had all these items removed in the meantime. Before that, the packages had managed to garner almost 10,000 downloads.
While almost all the code in the packages (99%) was clean, that 1% could prove fatal. It was written to run whenever the application communicates with databases or Siemens S7 controllers.
Siemens S7 industrial control devices are typically found in manufacturing plants, power and utility, oil, gas and chemical, building automation, and transportation industries.
The payload is triggered only between August 8, 2027 and November 29, 2028 and does two destructive things: randomly kills the host process 20% of the time (causing immediate shutdowns) and, in the Sharp7Extend package, aborts initialization and/or, after a 90 minute delay, corrupts automaton write commands with an 80% chance.
Who downloaded these packages and for what purpose remains a mystery. Users are advised to check their assets for packages and remove them immediately.
Here is the full list of malware packages discovered so far:
SQLUnicorn.Core
qlDbRepository
SQLLite repository
SqlUnicornCoreTest
SQLUnicornCore
SQL Repository
MyDbRepository
MCDbRepository
Sharp7Extender
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
