Socket’s Threat Research Team discovered nine malicious NuGet packages, published between 2023 and 2024 by the user “shanhai666,” designed to deploy payloads that disrupt databases and industrial systems. According to Socket, these packages were downloaded 9,488 times. The core danger lies in their functionality: almost all of them contain fully operational code that appears legitimate but bundles concealed malware. This malware weaponizes standard C# extension methods, such as .Exec and .BeginTran, to intercept operations and check for hardcoded or encrypted trigger dates before executing their sabotage mechanisms.
The most dangerous package identified is Sharp7Extend, a typosquat of the legitimate Sharp7 library, which targets industrial PLCs. This package is particularly destructive because it uses dual sabotage mechanisms. First, it immediately begins terminating processes randomly with a 20% probability. Second, it silently causes 80% of write operations to fail without any error messages, starting 30 to 90 minutes after installation. This hidden data corruption affects safety-critical components like actuators, setpoints, and production controls in manufacturing and industrial automation environments, making detection extremely difficult.
The attack strategically targets the three major database providers used in .NET applications—SQL Server, PostgreSQL, and SQLite—in addition to industrial PLCs. The database packages, including SqlUnicorn.Core and MyDbRepository, are set for time-delayed activation. For instance, one SQL Server build activates on August 8, 2027, and other database builds trigger on November 29, 2028. The Sharp7Extend package, however, activates immediately and continues its destructive action until June 6, 2028. This long gap between installation and activation, which can be up to three years, is a sophisticated technique designed to maximize stealth and potential impact.
The threat actor used various evasion tactics, including varying the packages’ metadata to hide connections, though all used the alias “shanhai666.” Furthermore, malformed digital signatures and the presence of Chinese-language comments within the code strongly suggest a Chinese origin for the threat actor. This combination of delayed triggers, probabilistic execution, and silent corruption is highly sophisticated and rarely seen in supply chain attacks, as it makes systemic attacks appear as random crashes or hardware failures.
This campaign highlights an advanced level of supply chain attack complexity. The long delay for database malware means that developers who installed the package in 2024 will likely have moved to other projects or companies by the 2027-2028 trigger dates, making attribution and forensic analysis nearly impossible. Socket shared its findings with NuGet on November 5, 2025, and the platform confirmed that they are investigating and taking steps to remove the malicious packages.
Reference:
