CYBERSECURITY researchers have found four malicious NuGet packages aimed at ASP[.]NET developers that exfiltrate ASP[.]NET Identity data, including user accounts, role assignments, and permission mappings, while also manipulating authorization rules to create backdoors in applications. The packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0 and SimpleWriter_—were published to NuGet between 12 and 21 August 2024 by a user named hamzazaheer and have since been removed, after drawing more than 4,500 downloads.
NCryptYo acts as a stage-1 dropper that installs a local proxy on localhost:7152 to relay traffic to a dynamically retrieved C2 server, and it masquerades as the legitimate NCrypto package. According to Socket, DOMOAuth2_ and IRAOAuth2.0 transmit ASP[.]NET Identity data through the proxy, enabling the attacker to modify authorization rules and grant themselves admin access in deployed productions; SimpleWriter_ writes threat actor-controlled content to disk and can run the dropped binary with hidden windows.
The disclosure also notes a separate incident where Tenable highlighted a malicious npm package, ambar-src, with over 50,000 downloads before removal, which uses a preinstall script to fetch payloads and deploys various backdoors across Windows, Linux, and macOS.