Malicious NuGet Packages Exfiltrate ASP.NET Identity and Install Persistent Backdoors

Security researchers at Socket identified a supply‑chain attack that distributes malicious NuGet packages targeting ASP.NET developers. The packages appear legitimate but contain code that harvests ASP.NET Identity credentials—usernames, password hashes, and authentication tokens—and then writes a hidden backdoor into the compromised web application, allowing attackers persistent remote access.

Defenders must treat these packages as a serious threat to the confidentiality and integrity of their applications. The stolen identity data can be leveraged for credential stuffing, privilege escalation, and lateral movement across the organization. Because the malicious code runs inside the application process, it evades traditional perimeter defenses. Mitigation includes enforcing signed package policies, regularly scanning project dependencies against known threat feeds, employing SBOMs for visibility, and promptly removing or updating any affected packages.

Categories: Malware & Ransomware, Vulnerabilities & Exploits, Data Breaches

Source: Read original article