Cybercrims plant destructive time bomb malware in industrial .NET extensions
Summary
Security researchers at Socket discovered nine malicious NuGet packages, published in 2023–2024 by a user named shanhai666, that include small destructive payloads timed to activate in 2027–2028. Nearly 10,000 downloads were recorded. Most of the packages appear legitimate and supply useful functionality; the attackers hid roughly 20 lines of malicious code inside thousands of benign lines to build trust and avoid detection.
Several packages target database drivers (SQL Server, PostgreSQL, SQLite) and are programmed to randomly terminate host processes after their trigger dates. The most concerning package, Sharp7Extend, targets Siemens S7 PLC communications used in manufacturing: its sabotage activates immediately on installation (and partly until June 6, 2028), causing random crashes and a high rate of command failures that could affect safety systems.
Socket coordinated with NuGet to remove the packages. Researchers warn organisations to assume compromise if dependencies include these packages and to audit and remediate immediately, since tracing the original introducers will be difficult by the time payloads activate.
Key Points
- Nine of 12 NuGet packages published by ‘shanhai666’ contained malicious code; combined downloads near 10,000.
- Most code in the packages is legitimate — attackers hid tiny destructive payloads to gain trust and avoid casual detection.
- Database-related packages are time-bombed to trigger in 2027–2028 and can randomly terminate host applications (c. 20% chance on certain operations).
- Sharp7Extend specifically targets Siemens S7 PLC communications and activates immediately, causing random crashes and forcing critical commands to fail up to 80% of the time.
- Industrial and safety-critical environments (manufacturing, healthcare, e-commerce) could see failures within seconds to minutes of deployment.
- Socket worked with NuGet to remove the packages, but organisations must audit dependencies and assume affected systems are compromised.
Context and relevance
This is a classic supply-chain sabotage: tiny, well-disguised changes in widely used packages that deliver outsized harm later. It highlights an escalating trend where attackers plant delayed triggers to build trusted footholds before striking — making incident response and attribution much harder. For organisations using .NET libraries, database drivers or Siemens S7 integrations, this is directly relevant to operational resilience and safety compliance.
Why should I read this?
Short version: nasty trick, big consequences. These crooks buried tiny bombs in otherwise useful packages so they’d be trusted and spread. If you or your teams use .NET packages, SQL drivers or Siemens PLC helpers — stop what you’re doing and check your dependencies now. We’ve saved you the digging: this is the sort of supply-chain nastiness that can break production or worse, endanger people.