Malicious NuGet Packages Target ASP.NET Developers to Steal Login Credentials

Supply‑chain attacks on package managers have surged, and the recent NuGet intrusion underscores the vulnerability of .NET ecosystems. By exploiting typosquatting and obfuscation, the actor introduced four interlinked packages that appear as ordinary developer utilities. The primary vector, NCryptYo, leverages JIT compiler hooks to decrypt and execute a second‑stage binary, which then creates a local HTTPS proxy on port 7152. This proxy becomes the conduit for credential theft, silently routing authentication tokens and permission data to an external command‑and‑control server without any visible network code in the package metadata.

Technical analysis reveals a sophisticated chain: NCryptYo’s static constructor injects runtime hooks, while DOMOAuth2_ and IRAOAuth2.0 embed hard‑coded attacker tokens into OAuth service extensions, automatically forwarding user GUIDs, role IDs, and permission mappings through the localhost tunnel. SimpleWriter_ completes the toolkit by masquerading as an HTML‑to‑PDF converter, yet it writes arbitrary files and launches hidden processes once the proxy confirms connectivity. The use of JIT‑time decryption and minimal static indicators allows the malicious DLL to evade most static scanners, as evidenced by only one of 72 VirusTotal vendors flagging it.

For enterprises and independent developers, the incident highlights the necessity of rigorous package vetting and runtime monitoring. Implementing strict allow‑lists, employing reproducible builds, and scanning binaries with behavior‑based tools can mitigate similar threats. Moreover, developers should scrutinize assembly load events and unexpected network activity, especially on localhost ports, to detect covert exfiltration channels before they reach production environments.