Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration

Feb. 24, 2026, 8:53 a.m.

Description

A NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers has been discovered. The campaign deploys a multi-stage payload where NCryptYo acts as a dropper, establishing a local proxy, while companion packages exfiltrate ASP.NET Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses obfuscation, JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.

External References

https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential
https://otx.alienvault.com/pulse/699d5baa21c5722498f88433
Tags
backdoor
obfuscation
typosquatting
supply-chain-attack
asp.net
nuget
2026-02-24
credential-exfiltration
domoauth2_
iraoauth2.0
jit-manipulation
ncryptyo
simplewriter_

Date

  • Created: Feb. 24, 2026, 8:04 a.m.
  • Published: Feb. 24, 2026, 8:04 a.m.
  • Modified: Feb. 24, 2026, 8:53 a.m.

Indicators

  • 6d64d0ca9b3262eb00396e2c441a389fb748b750a3f16b8d086456cc3364d397
  • 7c1a9a681411c528ee2bd291450d955f9d599a03cf34a530d9c526451c63c0aa
  • 44f3766323d813752e9ec879edf17a284f5ed971f814777f18f5e8f83c1ff5ba
  • c2ac85bcbf38c6a4e1b4ba971742f126eb0deaf486b7bd396858d98a3773de73
Download all indicators here!

Attack Patterns

  • DOMOAuth2_
  • SimpleWriter_
  • NCryptYo
  • IRAOAuth2.0
  • hamzazaheer