Developers are facing another supply-chain warning after researchers discovered harmful packages in both NuGet and npm that were secretly collecting data and installing malware.
The problem was noticed when several ASP.NET projects began showing unusual behavior. An investigation traced the activity to recently uploaded NuGet libraries that appeared to be ordinary utility tools. A closer examination revealed the packages contained hidden code that pulled identity information from running applications, including user accounts, role assignments, and permission settings handled through ASP.NET Identity.
Those who reviewed the packages said they were designed to look harmless. They blended into normal development work and ran quietly after being added to a project. In some cases, the code also adjusted authorization settings, which could allow unwanted access to continue without drawing attention.
Separately, a suspicious package was found in the npm ecosystem. During a standard installation, the package executed a hidden script that downloaded additional malicious files onto the developer’s system. Because npm often permits install scripts to run automatically, the activity could occur without clear warning signs.
Security teams say this incident shows how open-source repositories remain a prime target. Rather than attacking organizations directly, attackers are attempting to insert malicious code into commonly used dependencies so it spreads through trusted development processes.
Developers are being urged to review third-party packages carefully, check the reputation of publishers, and watch for unusual network activity during builds. Using dependency monitoring tools and stronger account protection on repository platforms can also help reduce risk.
The identified packages have been removed, but the episode is a reminder that supply-chain threats are not going away. As more projects depend on external components, careful review of dependencies is becoming essential.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
