Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sharp7Extend malicious NuGet logic bombs

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Sharp7Extend supply-chain malware event has escalated because nine malicious NuGet packages were found to embed logic bombs that can sabotage database operations and industrial PLCs. Published in 2023-2024 by shanhai666, the packages were downloaded 9,488 times before removal from NuGet. The most dangerous package can trigger random process termination and silent write failures against Siemens S7 PLCs after delayed activation, extending the risk window into 2027-2028.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Jason Saayman hit by network compromise

Incident
First: 31.03.2026 16:53 Last: 31.03.2026 16:53 Sources 1

About this happening: The **Axios** npm package was compromised after maintainer **Jason Saayman**'s **npm account** was taken over, and malicious versions were published to the registry. The release c...

Latest development: 01.04.2026 12:00

Google Threat Intelligence Group attributed the Axios npm supply-chain compromise to UNC1069, citing the use of WAVESHAPER.V2 and describing the actor as financially motivated and North Korea-nexus. GTIG also warned that malicious axios releases v1.14.1 and v0.30.4, delivered through Jason Saayman’s compromised account and plain-crypto-js, could have a broad blast radius across dependent packages and developer environments.

Open Happening

GlassWorm open-source supply-chain campaign targeting developers

Campaign
First: 14.03.2026 14:55 Last: 14.03.2026 14:55 Sources 1

About this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

Malicious NuGet package activity targeting ASP.NET Identity

Malware Activity
First: 25.02.2026 14:43 Last: 25.02.2026 14:43 Sources 1

About this happening: Four **malicious NuGet packages** were uncovered that **exfiltrate ASP.NET Identity** data and create **persistent backdoors**, putting deployed **ASP.NET** applications at risk....

Open Happening

Open-source developers face a surge in malicious packages and vulnerable releases

Target Trend
First: 28.01.2026 13:00 Last: 28.01.2026 13:00 Sources 1

About this happening: **Open-source package ecosystems** are seeing a sustained surge in **malicious packages** and **high-risk vulnerable releases**, expanding supply-chain risk for **developers** and...

Open Happening

Timeline

  1. 07.11.2025 13:55 1 articles · 6mo ago

    Earliest malicious NuGet package appears in the supply-chain set

    Campaign Scope Update

    MyDbRepository appears as the earliest dated package in the malicious NuGet set, showing that the package campaign was already underway by May 13, 2023 and later expanded into logic-bomb payloads against database operations and industrial control environments.

    Show sources
    Open in new tab
  2. 07.11.2025 13:55 1 articles · 6mo ago

    Sharp7Extend package adds PLC sabotage logic

    Technical Analysis Update

    Sharp7Extend is a malicious NuGet package targeting users of the legitimate Sharp7 library for Siemens S7 programmable logic controllers, using C# extension methods to execute code during database queries or PLC operations and to enable random process termination plus delayed PLC write failures after installation.

    Show sources
    Open in new tab
  3. 07.11.2025 13:55 2 articles · 6mo ago

    Socket discloses nine malicious NuGet packages

    Initial Disclosure

    Socket identified nine malicious NuGet packages published by shanhai666 in 2023-2024, downloaded 9,488 times, and removed from NuGet after analysis showed logic bombs designed to sabotage database operations and industrial control systems; the packages were also linked to delayed trigger dates in 2027-2028 and a possible Chinese-origin threat actor.

    Show sources
    Open in new tab