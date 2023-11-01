Attackers are constantly coming up with new ways to deploy rogue packages on public registries for different programming languages with the goal of executing malware code when those packages are imported and used in projects. The latest example is an attack campaign recently detected on NuGet Gallery, the repository for .NET packages, in which attackers use the inline tasks feature of the MSBuild code building tool to execute malicious code.

“Based on our research, this is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware,” researchers from security firm ReversingLabs said in a report. “There has been an ongoing discussion about the security implications of such mechanisms in NuGet's GitHub repository, but the issue hasn't been resolved. We're now dealing with the consequences of that.”

A months-long typosquatting campaign

In early October, researchers from a software supply chain security firm called Phylum discovered six malicious packages on NuGet Gallery that were uploaded by the same user and were deploying a remote access trojan called SeroXen RAT. The packages had names that were variations of existing popular packages — a technique name typosquatting — and had their download count artificially inflated by bots to appear more legitimate.

According to ReversingLabs, the packages detected by Phylum were likely part of a larger coordinated campaign on NuGet Gallery that started in August and resulted in several hundred malicious packages being uploaded to the repository over the last few months.

During the campaign, the attackers changed tactics several times when it came to hiding their malicious code inside packages and how they achieved code execution. The packages found by Phylum in early October used several layers of obfuscation for the malicious code and hid it in PowerShell scripts called tools/init.ps1 or tools/install.ps1 inside the packages, which the NuGet package manager will look for and execute when a package is installed.

For good measure, they also included a malicious tools/uninstall.ps1 file, which is executed when a package is uninstalled. The purpose of these scripts and mechanisms is to allow developers to perform some initial set-up tasks and cleanup jobs when a package is installed or uninstalled.