216.73.216.133

Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

· Published 24/02/2026 08:04 · Modified 24/02/2026 08:53

Export JSON

Essential information

Published
24/02/2026 08:04
Modified
24/02/2026 08:53
Tags
2026-02-24 asp.net backdoor credential-exfiltration domoauth2_ iraoauth2.0 jit-manipulation ncryptyo nuget obfuscation simplewriter_ supply chain attack typosquatting
Related entities
4 observables, 1 intrusion sets (apt), 7 techniques (mitre), 4 malware

Description

A involving four malicious packages targeting web application developers has been discovered. The campaign deploys a multi-stage payload where acts as a dropper, establishing a local proxy, while companion packages exfiltrate Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses , JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.

External references