Developers are being attacked by threat actors using sophisticated typosquatting techniques”.

Threat actors are targeting and infecting .NET developers with cryptocurrency stealers, according to a report in BleepingComputer.

JFrog security researchers Natan Nehorai and Brian Moussalli detailed the threat in a blog post this week. They said their team recently identified “a sophisticated and highly-malicious attack targeting .NET developers via the NuGet repository, using sophisticated typosquatting techniques”.

The top three packages were downloaded “an incredible amount of times”, the researchers note, adding that “this could be an indicator that the attack was highly successful, infecting a large amount of machines”. 

However, they continue, “this is not a fully reliable indicator of the attack’s success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate”.

How the threat works

The threat actors used typosquatting when creating their NuGet repository profiles to help them to impersonate what looked like the “legitimate” accounts of Microsoft software developers working on the NuGet .NET package manager.

The malicious packages had already been downloaded 150,000 times over the past month before they were removed from the NuGet repository. The packages, the team explained, contained a “download & execute” type of payload. Specifically, they held a PowerShell script that would execute upon installation and trigger a download of a “2nd stage” payload, which could be remotely executed.

How to defend against the threat

“Despite the fact that the discovered malicious packages have since been removed from NuGet, .NET developers are still at high risk from malicious code”, Nehorai and Moussalli warn. This is because NuGet packages still contain facilities to run code immediately upon package installation.

Developers should pay attention to typos in imported and installed packages, the researchers advise. “As one can see, some of these packages try to mimic the names of legitimate well-known packages, hoping that a developer would accidentally install them in their project, or mention them as a dependency”.

Developers should note: payloads delivered in this attack have very low detection rates and will not be flagged as malicious by Microsoft’s Defender anti-malware feature.