Socket flags malicious NuGet packages set to activate in 2027 and 2028

Two years ago, an account with the name “shanhai666” uploaded nine malicious NuGet packages. This launched a complicated software supply-chain attack. According to supply-chain security firm Socket, the packages have been collectively downloaded 9,488 times. In addition, specific triggers are set for August 2027 and November 2028. Socket’s team member, Kush Pandya, discovered the threat actor behind the campaign that published a total of 12 packages. Nine of the packages contain harmful routines, while three are fully functional implementations disguising the rest as “credible.” Pandya believes the hacker used legitimate libraries together with the malicious ones to trick developers into installing the packages without detecting anomalies during routine testing. “Legitimate functionality masks the ~20-line malicious payload buried in thousands of lines of legitimate code, and delays discovery since even after activation, crashes appear as random bugs rather than systematic attacks,” he wrote in a November 6 report. 9 NuGet hidden...

https://www.cryptopolitan.com/malicious-nuget-to-detonate-2027-2028/