Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration
Essential information
- Published
- 24/02/2026 08:04
- Modified
- 24/02/2026 08:53
- Tags
- 2026-02-24 asp.net backdoor credential-exfiltration domoauth2_ iraoauth2.0 jit-manipulation ncryptyo nuget obfuscation simplewriter_ supply chain attack typosquatting
- Related entities
- 4 observables, 1 intrusion sets (apt), 7 techniques (mitre), 4 malware
Description
A NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers has been discovered. The campaign deploys a multi-stage payload where NCryptYo acts as a dropper, establishing a local proxy, while companion packages exfiltrate ASP.NET Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses obfuscation, JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.