Malicious NuGet packages with millions of downloads are targeting users everywhere

News
By
published

Multiple typosquatted packages discovered in NuGet packages

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Cybersecurity researchers from Phylum recently discovered a malware campaign on the NuGet package manager for the .NET Framework, trying to trick people into infecting their endpoints with a remote access trojan (RAT) called SeroXen.

The unnamed threat actors updated a malicious package called Pathoschild.Stardew.Mod.Build.Config, a typosquat of a legitimate package with a similar name - Pathoschild.Stardew.ModBuildConfig. If run, the package activates a PowerShell script, which downloads a file named x.bin (which is actually a Windows Batch script). This file builds and runs another PowerShell script which, ultimately, delivers the SeroXen RAT.

For typosquatting attacks to work, the victims need to be distracted, burnt out, or plain reckless. In this instance, the attackers went a little further to try and build legitimacy - they artificially inflated the download count. So, while the proper package has some 80,000 downloads, the malicious one has more than 100,000 downloads. That way, even the developers with a little more due diligence done might still be tricked into downloading the wrong package.

Off the shelf 

SeroXen is described as off-the-shelf malware, costing $60 for a lifetime bundle. The fileless RAT combines the functions of Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd, The Hacker News reports. According to Trend Micro’s analysis, SeroXen offers a “comprehensive list” of features, with some standout ones including a Windows Defender-guaranteed bypass for both scan time and runtime; FUD scan time and runtime evasion against most antivirus engines; hidden Virtual Network Computing (hVNC), and full modern Windows support.

"The discovery of SeroXen RAT in NuGet packages only underscores how attackers continue to exploit open-source ecosystems and the developers that use them," Phylum said.

While the researchers did not elaborate on who the targets might be, they did say that the same account that uploaded SeroXen uploaded six other packages, four of which impersonated libraries for different crypto services.

Via The Hacker News

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
An abstract image of digital security.
More_eggs malware hatches two new variants for MaaS operation
The Python banner logo on a computer screen running a code editor.
More malicious Python packages are on the loose, experts warn
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
Latest in Security
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Latest in News
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Insta360 X4 360 degree camera without lens protector
Leaked DJI Osmo 360 image suggests GoPro and Insta360 should be worried – here's why
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case
The socket interface of the Intel Core Ultra processor
Intel unveils its most powerful AI PCs yet - new Intel Core Ultra Series 2 processors pack in vPro for lightweight laptops and high-performance workstations alike
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
More about security
Webex by Cisco banner on a Chromebook

Cisco warns some Webex users of worrying security flaw, so patch now
Image of laptop infected with malware

Ransomware criminals are now sending their demands...by snail mail?
Photo of AFL player Josh Dunkly on the pitch ahead of the AFL 2025 season

How to watch AFL 2025: live stream Aussie football online, schedule, all the details o the opening round games
See more latest
Most Popular
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case
Insta360 X4 360 degree camera without lens protector
Leaked DJI Osmo 360 image suggests GoPro and Insta360 should be worried – here's why
The socket interface of the Intel Core Ultra processor
Intel unveils its most powerful AI PCs yet - new Intel Core Ultra Series 2 processors pack in vPro for lightweight laptops and high-performance workstations alike
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 6 (game #368)