Malicious NuGet Packages Target ASP.NET Developers in 2026 Supply Chain Attack
Executive Summary
In February 2026, cybersecurity researchers identified a supply chain attack involving four malicious NuGet packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—targeting ASP.NET developers. These packages, published between August 12 and 21, 2024, by a user named hamzazaheer, were downloaded over 4,500 times before removal. The attack exfiltrated ASP.NET Identity data, including user accounts and role assignments, and manipulated authorization rules to create persistent backdoors in victim applications. NCryptYo acted as a first-stage dropper, establishing a local proxy for command-and-control communication, while the other packages facilitated data theft and backdoor creation. This incident underscores the escalating threat of supply chain attacks targeting software developers. Similar campaigns have been observed in other ecosystems, such as the npm registry, where malicious packages like ambar-src have been used to deploy cross-platform malware. The increasing frequency and sophistication of these attacks highlight the critical need for developers to exercise caution when incorporating third-party packages and to implement robust security measures to protect their development environments and end-users.
Why This Matters Now
Supply chain attacks targeting software developers are on the rise, with malicious packages infiltrating trusted repositories to exfiltrate sensitive data and create backdoors. Developers must remain vigilant, thoroughly vet third-party packages, and implement stringent security protocols to safeguard their applications and users.
Attack Path Analysis
The attack began with the publication of four malicious NuGet packages targeting ASP.NET developers, leading to the installation of a local proxy that relayed traffic to an attacker-controlled C2 server. This setup enabled the exfiltration of ASP.NET Identity data and the manipulation of authorization rules to create persistent backdoors in victim applications. The adversary maintained control over compromised applications through continuous data exfiltration and authorization rule modifications, ultimately granting themselves admin-level access to deployed instances.
Kill Chain Progression
Initial Compromise
Description
Adversaries published four malicious NuGet packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) to the NuGet repository, targeting ASP.NET developers.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.
User Execution: Malicious Library
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Event Triggered Execution: Installer Packages
Obfuscated Files or Information
Process Injection: Dynamic-link Library Injection
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Implement secure software development practices
Control ID: Pillar 3: Applications and Workloads
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
ASP.NET developers face supply-chain attacks through malicious NuGet packages, enabling data exfiltration and persistent backdoors in web applications requiring enhanced egress security.
Financial Services
Banking applications using ASP.NET Identity systems vulnerable to credential theft and authorization manipulation, compromising PCI compliance and requiring zero trust segmentation.
Health Care / Life Sciences
Healthcare web applications at risk of patient data exfiltration through compromised ASP.NET packages, violating HIPAA requirements and necessitating encrypted traffic monitoring.
Information Technology/IT
IT service providers managing ASP.NET applications face lateral movement risks and client data exposure through malicious packages, requiring multicloud visibility and threat detection.
Sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malwarehttps://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.htmlVerified
- Advanced Malware Campaign Targets the NuGet Package Managerhttps://cyberinsider.com/advanced-malware-campaign-targets-the-nuget-package-manager/Verified
- Malicious NuGet Package Masquerades as .NET Library to Steal Crypto Wallets and OAuth Tokenshttps://cyberpress.org/malicious-nuget-package/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit malicious NuGet packages, manipulate authorization rules, and exfiltrate sensitive data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to deploy malicious packages may have been constrained, reducing the likelihood of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, limiting unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally may have been constrained, reducing the risk of widespread compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been constrained, limiting remote manipulation.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing data loss.
The attacker's ability to maintain persistent access may have been constrained, reducing the duration and impact of the compromise.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Control Management
- Application Security
Estimated downtime: 7 days
Estimated loss: $50,000
ASP.NET Identity data, including user accounts, role assignments, and permission mappings.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict package management policies to verify the authenticity of all dependencies before inclusion.
- • Utilize Zero Trust Segmentation to enforce least privilege access controls within development and production environments.
- • Deploy Inline IPS (Suricata) to detect and prevent malicious payloads during the build and deployment processes.
- • Establish Multicloud Visibility & Control to monitor and manage traffic across all cloud environments, identifying anomalous behaviors.
- • Enforce Egress Security & Policy Enforcement to restrict unauthorized outbound communications from applications to external servers.
