Malicious NuGet Packages Target ASP.NET Developers Stealing Credentials Through JIT Hooks

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Four malicious NuGet packages attack ASP.NET developers deploying credential-stealing backdoors. NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_ racked up 4,500+ downloads since August 2024. JIT compiler hijacking and localhost proxies evade detection completely. 

Hamzazaheer published typosquatted packages mimicking legitimate cryptography, OAuth libraries. NCryptYo impersonates Windows CNG provider with identical DLL namespace. Static constructor fires on assembly load creating hidden proxy tunnel immediately.

Localhost port 7152 relays traffic to attacker infrastructure silently. DOMOAuth2_ and IRAOAuth2.0 extract ASP.NET Identity data including user IDs, roles, permissions. SimpleWriter_ drops persistent executables disguised as PDF tools.

GZip-compressed Base64 authentication tokens identical across packages confirm single operator. VirusTotal shows 1/72 engines detect NCrypt.dll despite aggressive obfuscation. .NET Reactor protection includes 14-day expiry and anti-debugging.

VirusTotal analysis showing only 1 of 72 security vendors detecting NCrypt.dll, highlighting the challenges of detecting heavily obfuscated .NET malware (Source – Socket.dev)

JIT hooking intercepts .NET method compilation decrypting payloads runtime-only. Static scanners see inert encrypted resources. 126KB primary payload builds external C2 tunnel post-compromise.

Production web apps inherit backdoors from compromised developer workstations. CI/CD pipelines propagate malware silently to customer deployments. Supply chain compromise extends beyond initial targets.

Package Details Table

PackageDisguiseDownloadsPrimary Function
NCryptYoCrypto libraryUnknownJIT hook + proxy
DOMOAuth2_OAuth2 clientUnknownIdentity theft
IRAOAuth2.0OAuth2 clientUnknownIdentity theft
SimpleWriter_PDF writerUnknownFile dropper

Attack Infrastructure

  • Proxy Port: localhost:7152 external relay
  • Obfuscation: .NET Reactor + encrypted resources
  • Detection Evasion: JIT compiler hijacking
  • Token Encoding: GZip + custom Base64
  • Persistence: Production app deployment

CI/CD scanning must flag static constructors and localhost listeners. Obfuscation markers require automated rejection policies.

Mitigation Actions

  • Verify package authors and download history
  • Block localhost:7152 outbound connections
  • Scan for JIT hooking in dependencies
  • Audit ASP.NET Identity data access
  • Deploy obfuscation detection in pipelines
  • Remove hamzazaheer published packages

Developer workstations represent highest risk vectors. Compromised builds propagate through entire deployment chains. Enterprise .NET environments require immediate package audits.

FAQ

Which NuGet packages contain malware?

NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_.

How do packages evade antivirus detection?

JIT compiler hijacking decrypts runtime-only.

What confirms single threat actor operation?

Identical GZip Base64 auth tokens across packages.

Primary data stolen from developers?

ASP.NET Identity user IDs, roles, permissions.

Infection trigger mechanism?

Static constructor fires on assembly load.

Production impact from compromise?

Backdoors deploy to customer web applications.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages