Malicious NuGet and npm Packages Target Developers to Steal Data and Deploy Backdoors

First reported

25.02.2026 14:43

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Four malicious NuGet packages targeting ASP.NET developers were discovered, stealing sensitive data and creating persistent backdoors. Additionally, a malicious npm package named ambar-src was found to drop malware on Windows, Linux, and macOS systems, exfiltrating data to a Yandex Cloud domain. The NuGet packages, published between August 12 and 21, 2024, attracted over 4,500 downloads before being removed. The npm package, uploaded on February 13, 2026, amassed over 50,000 downloads before removal. The campaigns aim to compromise applications built by developers, granting attackers admin-level access and exfiltrating sensitive data.

Timeline

25.02.2026 14:43 1 articles · 5h ago

Malicious NuGet Packages Target ASP.NET Developers
Four malicious NuGet packages were discovered targeting ASP.NET developers, stealing sensitive data and creating persistent backdoors. The packages were published between August 12 and 21, 2024, and attracted over 4,500 downloads before being removed.
Show sources

Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
Open in new tab

Information Snippets

Four malicious NuGet packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) were discovered targeting ASP.NET developers.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
NCryptYo acts as a first-stage dropper, establishing a local proxy to relay traffic to an attacker-controlled C2 server.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
DOMOAuth2_ and IRAOAuth2.0 steal ASP.NET Identity data and backdoor applications.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
SimpleWriter_ features unconditional file writing and hidden process execution capabilities.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
The malicious npm package ambar-src drops malware on Windows, Linux, and macOS systems.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
Ambar-src uses npm's preinstall script hook to execute malicious code during installation.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
The malware exfiltrates data to a Yandex Cloud domain to blend in with legitimate traffic.
First reported: 25.02.2026 14:43

1 source, 1 article
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43

Summary

Timeline

Malicious NuGet Packages Target ASP.NET Developers

Information Snippets