Malicious NuGet Packages Attacking ASP.NET Developers to Steal Login Credentials

A supply chain attack targeting ASP.NET developers has surfaced, involving four malicious NuGet packages built to steal login credentials and plant persistent backdoors inside web applications.

The packages — NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ — were published between August 12 and 21, 2024, by a threat actor operating under the username “hamzazaheer,” and together they have accumulated over 4,500 downloads.

The attack starts with deliberate deception. NCryptYo disguises itself as a cryptography library by typosquatting the widely used NCrypto package.

Its DLL filename, NCrypt.dll, mimics Windows’ native CNG cryptography provider, and its namespace mirrors Microsoft’s own cryptography APIs.

Critically, the package fires a static constructor the moment the assembly loads — before any developer calls a single method — silently deploying a hidden proxy on localhost port 7152 that relays traffic to an external, attacker-controlled server.

Socket.dev researchers identified the full campaign by tracing shared infrastructure across all four packages.

They noted that DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ all carry a byte-identical hardcoded authentication token encoded using GZip compression and custom Base64 substitutions, confirming they were built by the same operator.

VirusTotal analysis showed only 1 out of 72 security vendors flagged NCrypt.dll, revealing how effectively the obfuscation keeps the malware hidden from standard detection tools.

Once active, DOMOAuth2_ and IRAOAuth2.0 silently collect ASP.NET Identity data — user account IDs, role assignments, and permission mappings — and route it to the attacker’s server through the local proxy.

SimpleWriter_, posing as a PDF conversion tool, writes threat actor-controlled files to disk and runs hidden processes with no visible window. The real objective is not just the developer’s workstation, but every production application they eventually deploy to end users.

JIT Hooking: The Core Infection Mechanism

NCryptYo uses a technique called JIT compiler hijacking to keep its true behavior hidden from security scanners.

The .NET runtime normally compiles methods just before they run; this package replaces that process with its own hook, so malicious code only decrypts at the moment of execution — making it invisible to static analysis.

The DLL is protected by .NET Reactor obfuscation, complete with a 14-day expiry timer and anti-debugging checks.

Five encrypted resources are embedded inside, with the largest being a 126 KB payload responsible for building the hidden proxy tunnel to the attacker’s external server.

Developers should verify package names, author identities, and download histories before installing any third-party library, and watch for traffic on unusual localhost ports.

Security teams are advised to enable automated CI/CD pipeline scanning that checks for obfuscation markers, static constructor abuse, and embedded encrypted payloads before any package enters a production build.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.