NuGet or NuRegret? The Trojan Horse Typosquatting Campaign Making Developers Question Their Code

Beware, developers! The NuGet Typosquatting Malware Campaign has turned our beloved package manager into a Trojan horse. The bad guys are exploiting MSBuild integration to hide malicious code, using typosquatting packages as their tickets in. Who knew we’d need a cybersecurity degree just to say “Hello, World!” in code?

Hot Take:

Oh, dear code gods! The NuGet package manager, a developer’s best friend, has become a Trojan horse in a new typosquatting campaign. The bad guys are using a feature meant to simplify our lives – MSBuild integration – to hide malicious code and pull a fast one on us. At this rate, we’ll need a cybersecurity degree to write “Hello, World!”

Key Points:

  • Malicious actors are exploiting NuGet’s MSBuild integration to hide and execute malicious code.
  • They use typosquatting packages to install malware, targeting predominantly Windows users.
  • The technique was first revealed by a security researcher in 2019, but this is the first documented misuse of it.
  • ReversingLabs spotted the campaign in mid-October 2023, part of an ongoing campaign that started in August 2023.
  • The attackers refine their techniques continuously, indicating an intent to persist with their campaign.

Need to know more?

A Package Delivery We Didn't Sign For

The latest NuGet campaign uses typosquatting packages to slip malware into your system. They cleverly leverage NuGet's MSBuild integration to run their naughty code. This feature, introduced in NuGet v2.5, was supposed to make developers' lives easier. Well, in this case, it certainly made the hackers' lives easier!

How MSBuild Got Schooled

The tricksters hide their malicious code in a package’s ‘build’ directory. When NuGet installs the package, it automatically references the .targets and .props files in this directory. The result? The malicious code gets executed. It's like inviting a vampire into your house - once they're in, it's hard to get them out!

From Research to Reality

Although a security researcher highlighted this potential misuse in 2019, this is the first documented case of this technique being used in the wild. The researcher's package, dubbed "IAmRoot," was meant to demonstrate that any NuGet package could run arbitrary code. In a twisted sense of irony, the hackers took this demonstration as a how-to guide.

A Campaign That's Not For President

This malicious campaign started in August 2023 but didn’t incorporate the MSBuild abuse until mid-October. The bad guys continually refine their techniques, showing a persistent intent to keep the campaign going. Earlier versions fetched the malware payload from a GitHub repository using PowerShell scripts. Now, they've gone all stealth mode with the MSBuild trickery.

The Never-Ending Story

Despite packages being removed, new ones pop up quickly, indicating that these persistent pests aren't backing down anytime soon. It's like a game of whack-a-mole, where the moles are malware packages, and the carnival music is the collective groan of developers everywhere.
Tags: attack techniques, Malware, MSBuild, NuGet, SeroXen RAT, Software Distribution Systems, typosquatting