NET and Siemens PLCs targeted by delayed NuGet malware
Security researchers have identified at least nine malware-laced NuGet packages that were uploaded to the public .NET repository in 2023–2024 and that contain delayed “logic bombs” designed to trigger years later — in August 2027 and November 2028 — with the intent to corrupt databases, crash applications and interfere with industrial control integrations.
The packages, all tied to the same publisher handle and downloaded roughly 9,500 times before they were flagged, were ordinary .NET libraries on the surface but hid time-based and probability-based payloads deep in their code. Researchers who decompiled them say that after the trigger date is reached, the code begins to tamper with database operations and, in some variants, with PLC-related functions, and that on each affected query there is about a 20% chance the application will be terminated. Because the trigger year is two to three years away, any organization that pulled these packages into a long-lived project or a CI/CD pipeline in 2024–2025 could be carrying the backdoor without seeing symptoms.
The attack works by abusing how NuGet restores dependencies in .NET builds. A developer adds what looks like a helper library; the package is fetched from nuget.org and cached; and transitive dependencies are restored on every build agent that runs the project. The malicious packages found this week added an extra layer: an embedded logic bomb that stays dormant until a hardcoded future date and only then injects destructive behavior into database calls. Researchers noted that several of the packages used IL weaving and post-restore execution techniques seen in earlier NuGet supply-chain incidents in 2024, but combined them with a much longer delay than usual, suggesting the attacker wanted the malware to survive code reviews and simple sandboxing.
What could be hit in 2027–2028 is broader than a single developer PC. Any build agent or CI runner that restores from NuGet and pulls the malicious package will carry the logic bomb. Any production service that was compiled with the package and is still deployed when the trigger date arrives could start to see random application crashes or silent database tampering. Any on-premises system that uses .NET to talk to industrial controllers — researchers mentioned Siemens S7-style integrations — could experience intermittent write failures after a 30–90 minute delay.
And because modern crypto, fintech and DeFi backends also run on .NET in some enterprises, secrets exposed to the process (API keys, wallet management endpoints, database credentials) would be at risk if an attacker coupled the bomb with data exfiltration. The key point in the analysis was that the packages target places where code runs unattended for years: build servers, business services, operational tech gateways.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy, and Disclaimers.
Articles by this author
