Hidden “Logic Bombs” in NuGet Packages

10.11.2025 4 minutes Author: Newsman

Researchers have discovered nine malicious NuGet packages that look like legitimate libraries for working with databases and industrial controllers but actually contain logic bombs with delayed activation. The malicious code is designed to trigger only in 2027–2028, causing “random” application failures and sabotaging industrial systems — long after most developers have forgotten they ever added these dependencies.

Security company Socket, which specializes in software supply-chain security, reported nine malicious NuGet packages published by a user named shanhai666 in 2023–2024. In total, they were downloaded nearly 9,500 times.

These packages:

  • pretend to be normal libraries for SQL Server, PostgreSQL, SQLite

  • are used for database access or controlling PLCs (programmable logic controllers) in industrial systems

  • contain hidden code that checks the current date and activates only after specific trigger dates in August 2027 and November 2028

The most critical one is Sharp7Extend, targeting users of the popular Sharp7 library for interacting with Siemens S7 PLCs:

  • immediately after installation it can terminate the process with a certain probability

  • later, after 30–90 minutes, it starts silently corrupting write operations to the PLC (some writes just don’t happen)

  • this kind of sabotage can hit production lines, safety systems, and other critical processes

Other packages are deliberately time-delayed:

  • some only activate after 8 August 2027

  • others — after 29 November 2028

This gives attackers a long window to:

  • collect as many “victims” as possible while the packages look safe

  • wait until dev teams have changed, projects have been refactored, and the history of dependency choices is forgotten

When the “bomb” finally goes off, the application:

  • sometimes crashes seemingly at random

  • sometimes subtly corrupts database or PLC operations

— all of which can easily be mistaken for hardware flakiness or random bugs, not a deliberate attack.

1. Logic bombs in the software supply chain

A logic bomb is code that stays dormant until a specific condition is met: a date, an event, a configuration, etc. In this case:

  • the trigger is specific dates in 2027–2028
  • it’s a classic software supply-chain attack: malicious components are slipped into a trusted repository (NuGet) that developers routinely pull from

This approach is especially dangerous for:

  • enterprise .NET projects that heavily rely on NuGet
  • industrial control systems (ICS), where PLC failures can cause
    • production downtime
    • accidents
    • safety risks for people

2. Abuse of C# extension methods

According to Socket’s analysis, the attackers heavily use C# extension methods.

Extension methods allow you to:

  • add new methods to an existing type without changing its original source code
  • make the added methods look like regular instance methods, so they don’t stand out during a quick code review

In these malicious packages:

  • the extensions intercept database queries and PLC operations
  • every call passes through a wrapper that
    • checks the current date
    • at the right time, runs the malicious logic — killing the process, sabotaging writes, and so on

In some packages the dates are hard-coded in the source, while in Sharp7Extend they’re stored in encrypted form in configuration, which makes analysis harder.

3. No obvious culprit and a messy investigation

Socket notes that:

  • all identified malicious packages have now been removed from NuGet

  • the code patterns and the author’s handle (shanhai666) might hint at possible Chinese origin, but there is no hard proof either way

For organizations, the big problem is:

  • delayed execution plus probabilistic behavior (for example, crashing only 20% of the time) makes incidents look like random issues

  • years later it will be almost impossible to

    • remember who added the compromised package and when
    • reconstruct the full chain of compromise
    • prove it was a targeted attack and not just bad luck

what it means for developers and companies

The story of these hidden logic bombs in NuGet packages shows that:

  1. Software supply-chain poisoning is becoming more sophisticated and long-term: attackers are willing to wait years for their code to “mature”.
  2. Delayed and probabilistic sabotage is a perfect way to disguise an attack as:
    • random crashes
    • flaky hardware
    • unstable networks or databases
  3. Organizations that don’t keep strict records of their dependencies and versions risk ending up in a situation where:
    • the attack has already happened
    • systems are crashing or behaving strangely
    • but the original source of the poison is almost impossible to track down

For developers and companies, this is a clear signal to:

  • strengthen dependency control (software composition analysis, blocking suspicious packages, reviewing extensions)
  • introduce audit procedures for packages from public registries

  • think in terms of long-term security, not just short-term incident response.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.