セキュリティ研究者が悪意のあるNuGetパッケージの発見

Cybersecurity researchers have discovered four malicious NuGet packages targeting ASP.NET web application developers to steal sensitive data. These packages were published between August 12 and 21, 2024 by a user named hamzazaheer.

悪意のあるパッケージの詳細

The names of the packages are listed below – NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_. These packages have since been taken down from the repository following responsible disclosure but attracted more than 4,500 downloads.

NCryptYoの機能

NCryptYo acts as a first-stage dropper that establishes a local proxy on localhost:7152 that relays traffic to an attacker-controlled command-and-control (C2) server whose address is dynamically retrieved at runtime. It attempts to masquerade as the legitimate NCrypto package.

DOMOAuth2_とIRAOAuth2.0の機能

DOMOAuth2_ and IRAOAuth2.0 steal Identity data and backdoor apps, while SimpleWriter_ features unconditional file writing and hidden process execution capabilities while presenting itself as a PDF conversion utility.

SimpleWriter_の機能

SimpleWriter_, for its part, writes threat actor-controlled content to disk and executes the dropped binary with hidden windows. It’s not exactly clear how users are tricked into downloading these packages, as the attack chain kicks in only after all four of them are installed.

Tenableがnpmパッケージの詳細を発表

Tenable disclosed details of a malicious npm package named ambar-src that amassed more than 50,000 downloads before it was removed from the JavaScript registry. It was uploaded to npm on February 13, 2026.

ambar-srcの機能

The malware is designed to run a one-liner command that obtains different payloads from the domain

---

元記事: https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html