Cybersecurity experts have uncovered a new threat targeting ASP.NET web developers through the distribution of four harmful NuGet packages. These packages are part of a campaign designed to extract sensitive ASP.NET Identity information, including user credentials, role assignments, and authorization details. The attack also manipulates security protocols to establish backdoors in affected applications, posing a significant security risk.
Details of the Malicious Packages
Identified by the cybersecurity firm Socket, the harmful packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—were uploaded to the NuGet repository by a user named hamzazaheer between August 12 and 21, 2024. These packages managed to accumulate over 4,500 downloads before their removal following responsible disclosure.
NCryptYo functions as a first-stage dropper, creating a local proxy on port 7152 to relay traffic to a dynamically resolved command-and-control (C2) server under the attackers’ control. The package aims to deceive developers by imitating the legitimate NCrypto package. Meanwhile, DOMOAuth2_ and IRAOAuth2.0 focus on data theft and application backdooring, whereas SimpleWriter_ offers capabilities like unconditional file writing and hidden process execution, disguised as a PDF conversion tool.
Technical Analysis and Impact
The technical assessment reveals that all four packages were developed in similar build environments, indicating a single threat actor’s involvement. According to security researcher Kush Pandya, NCryptYo’s static constructor installs hooks into the JIT compiler, decrypting and deploying a second-stage binary. This binary sets up a localhost proxy that channels data between the malicious packages and the C2 infrastructure.
Once the local proxy is operational, DOMOAuth2_ and IRAOAuth2.0 begin extracting ASP.NET Identity data, which is then sent to the external server. The server responds with altered authorization rules, enabling the attackers to maintain persistent access by modifying permissions or disabling security measures. SimpleWriter_ contributes by executing externally controlled content, adding another layer of risk.
Ongoing Threats in Software Supply Chains
The campaign primarily aims to compromise deployed applications rather than the developers directly. By infiltrating the authorization layer during development, the attackers can maintain access to production environments, continuously siphoning data and altering security settings. This method ensures long-term access to applications built with these compromised dependencies.
In parallel, another malicious package named ambar-src was identified by Tenable, having been downloaded over 50,000 times from the npm registry. Uploaded on February 13, 2026, this package leverages npm’s preinstall script to execute harmful code based on the operating system—dropping various payloads on Windows, Linux, and macOS.
The malware employs tactics to avoid detection, exploiting trusted cloud services for data exfiltration, thus complicating blocking efforts. Tenable warns that any system running ambar-src should be considered fully compromised, and simply removing the package may not eliminate all threats.
As these incidents highlight the ongoing vulnerabilities in software supply chains, developers are urged to scrutinize package dependencies and remain vigilant against such security threats to protect their applications and data integrity.
