Within the realm of information security, diligent researchers have unveiled a fresh wave of malicious packages distributed via the NuGet package manager. These packages employ a less recognized malware distribution strategy.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

ReversingLabs, a leading software supply chain security company, has been tracking this coordinated and persistent effort since August 1, 2023. They have also established a connection between this campaign and a significant number of malicious NuGet packages responsible for disseminating the SeroXen Remote Administration Tool (RAT).

“The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository and to continuously publish new malicious packages,” Karlo Zanki, a reverse engineer at ReversingLabs, said in a study that was shared with The Hacker News. “The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository,”

Infected NuGet

Here’s a list of some of these packages and their names:

  • Configuration File for the Pathoschild Stardew Mod Build
  • The KucoinExchange.Net website
  • Exchange of the Kraken
  • The Discords RPC
  • SolanaWallet.com
  • Monero’s Modern.Winform.UI (User Interface)
  • Server for Minecraft Pocket Edition
  • Root I Am
  • Client Version 2 of the Zendesk API
  • Forge.Open.AI.Betalgo.Open.AI.Open Source
  • Build configuration file for the Pathoschild Stardew Mod.

Additionally, you’ll find frameworks such as CData.NetSuite.Net.Framework, CData.Salesforce.Net.Framework, and CData.Snowflake.API among the available options.

These packages, spanning multiple versions, cleverly mimic well-known packages and leverage NuGet’s MSBuild integrations feature to introduce malicious software to unsuspecting users. This is achieved by making use of a functionality called inline tasks, enabling the execution of code.

“This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware,” according to Zanki.

What sets these now-removed packages apart is their common tactic of concealing malicious code. The threat actors behind this operation used spaces and tabs to move the code out of the default screen width, effectively hiding it from plain view. This distinctive trait separates these packages from the others.

As was previously exposed by Phylum, the downloaded count of the packages has been manipulated in order to give the impression that they are more authentic than they actually are. The end purpose of the decoy packages is to act as a conduit for retrieving a second-stage.NET payload that is housed on a throwaway GitHub repository. This is the final goal of the decoy packages.

“The threat actor behind this campaign is being careful and paying attention to details and is determined to keep this malicious campaign alive and active,” according to Zanki.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center