Secure Your .NET Projects

Part of the NuGet campaign targeting Solana ecosystem developers; contains hidden malicious functionality to exfiltrate wallet data or otherwise enable theft (attributed to ReversingLabs).

This assembly contains a highly obfuscated runtime loader/protector component that reads encrypted embedded payloads or resources, decrypts them, allocates executable memory, patches runtime/JIT function pointers and writes into process memory (including /proc/self/mem and WriteProcessMemory) to execute code in-memory. Those operations are classic for packers/launchers and can be used as a supply-chain backdoor or to execute malicious payloads stealthily. Treat this package as high risk: remove or audit in a sandbox to extract and analyze decrypted payloads before use. If you expect a simple BIM export library, this behavior is unexpected and strongly suspicious.

This file contains a malicious module-level static initializer that spawns PowerShell to download and execute a remote .bat from a hardcoded URL at assembly-load time. That behavior constitutes remote code execution and a supply-chain/backdoor compromise. Do not use this assembly; obtain a clean, verified copy from the official distributor and investigate any systems where this binary was loaded.

This module contains an automated data-collection and exfiltration routine triggered from the Bluefish static constructor. It harvests system identifiers (MAC, disk/OS/CPU info, usernames, domain, local and public IPs) and sends them via SMTP using hardcoded credentials to at.packagelogs@gmail.com. The behavior is privacy-invasive and fits a supply-chain/telemetry exfiltration malicious pattern. The encryption functionality by itself is not inherently malicious, but the bundled hidden telemetry and hardcoded remote account are malicious. Do not trust or use this package in production; remove and treat any systems that used it as potentially compromised.

Conclusion: The sample exhibits high-risk characteristics consistent with a loader/backdoor or obfuscated payload carrier. While direct malicious actions are not explicitly shown, its capabilities (runtime code loading, unmanaged memory access, and anti-analysis patterns) pose substantial security risk in a supply-chain context. Treat as suspicious; implement rigorous provenance checks, signing, and isolate or exclude from production dependencies until a clean, auditable version is provided.

The fragment is highly suspicious and likely hazardous as a component payload. It comprises an extensive, obfuscated-like localization resource with Chrome/Chromium metadata and explicit malware indicators, suggesting potential backdoor/data-exfiltration risk if embedded in a package. Without clear executable entry points and proper context, it should be treated as high-risk in a supply chain and isolated from any distribution. A thorough code-path audit, provenance check, and removal from any public package is recommended.

This assembly contains a highly obfuscated runtime loader that decrypts embedded payloads and performs native memory allocation and writes, patches runtime function pointers (including CLR/JIT hooks), and can execute in-memory code. These are strong indicators of a backdoor/code-injection loader or loader-for-malicious payload. Even if parts are for legitimate protected plugin loading, the techniques (process memory writes, VirtualAlloc/mprotect, Marshal.WriteIntPtr replacing module pointers, /proc/self/mem usage) are dangerous for supply-chain use. I recommend treating this package as malicious/untrusted and removing it from sensitive environments; at minimum perform full offline analysis of embedded resources and dynamic behavior in a controlled sandbox before any use.

The code includes a global keyboard hook that captures keystrokes, which is characteristic of keylogger functionality and represents a significant security and privacy risk. Although no direct evidence of exfiltration or malicious network communication is present, the keylogging capability alone warrants a high malware and security risk score. The rest of the communication implementations appear standard and non-malicious. The code is not obfuscated. Users should be warned about the keylogging behavior and carefully consider the security implications before using this package.

The fragment exhibits multiple security concerns that elevate risk: pervasive hard-coded credentials (Dropbox tokens, Telegram bot tokens, FTP/DB credentials) and usage of cryptographic primitives with weak key handling, combined with extensive external network activity and privileged restart capabilities. These traits create substantial attack surface for credential exposure, data exfiltration, or persistence in a supply-chain context. Recommendation: eliminate hard-coded secrets, adopt secure secret management (vaults, env-based configuration with rotation), minimize and audit external communications, remove or restrict reflective/dynamic invocation, and implement thorough input validation and least-privilege controls. Consider sandboxing or removing bot-based alerting from production until credentials are rotated and access is restricted.

This assembly contains a heavily obfuscated runtime loader that reads embedded resources, decrypts them, allocates executable/native memory, patches runtime structures and executes code in-memory. Those behaviors are consistent with a malicious loader/backdoor or a packer that can install and run arbitrary native or managed payloads at runtime. The benign public API surface appears to be a decoy; the real activity happens in static initializers. This is a high-risk supply-chain artifact and should be treated as malicious; do not run or trust this package in production without thorough forensic review in a controlled environment.

Malicious package (published by DamienMcdougal) that steals wallet information (private keys, seed phrases, WIF) by injecting subtle exfiltration routines; identified by ReversingLabs.

NuGet package used in the campaign to impersonate Solana tooling; contains injected code to exfiltrate wallet data or otherwise redirect/steal crypto (ReversingLabs attribution).

This assembly contains a strongly obfuscated in-memory loader/runner that decrypts embedded payloads and uses native APIs to allocate, write, and execute code inside process memory. Those behaviors are not normal for a DICOM annotation converter and are consistent with a loader/backdoor or supply-chain implant. Do not trust the package; further dynamic and static forensic analysis of the decrypted payloads is required.

The source code is highly suspicious and likely malicious. It uses obfuscated PHP eval code and wget commands to download files from suspicious IP addresses, indicating potential malware behavior. The large unrelated data blob may be an evasion tactic. The provided reports are invalid and uninformative. This code poses a high security risk and should be treated as malware.

The fragment contains an injected, targeted, and intrusive behavior: when the client's locale and hostname match Russian patterns, and a timing condition is met, the code silently injects and attempts to play an external audio file and disables pointer interactions. This is not normal for a modal/dialog library and is a supply-chain style malicious insertion. Treat this as malicious/unwanted code and avoid using the affected package version; investigate commit history and package provenance.

Malicious NuGet package that exfiltrates Google Ads OAuth data (developer tokens, client IDs/secrets) to attacker servers, enabling full programmatic access to victims' Google Ads accounts (ReversingLabs).

This assembly is intentionally obfuscated and implements a runtime loader that decrypts/decodes embedded payloads and executes them in-process by allocating executable memory, copying bytes and creating delegates from pointers. Those patterns (VirtualAlloc/VirtualProtect + Marshal + delegate-from-pointer + excessive obfuscation + reflection into module internals) are characteristic of malicious loaders or techniques used for code injection and in-memory execution of arbitrary payloads. I recommend treating this package as malicious or at minimum extremely high risk; do not run it in production or on trusted systems. Further dynamic analysis of the embedded resources would be required to determine the exact payload behavior.

This file is malicious or highly suspicious. It implements an obfuscated in-memory loader/injector with cryptographic decryption of embedded payloads, reflective retrieval of module pointers, allocation/protection of executable memory and invocation through function-pointer delegates. Even though no explicit network exfiltration appears in the visible code, the capability to load and execute arbitrary native code in-process is present and constitutes a high-risk supply-chain/backdoor behavior. Do not trust or install this package; treat it as a runtime code execution/backdoor component.

This assembly contains legitimate-looking PDF/barcode rendering types but also includes heavily obfuscated code that reads encrypted embedded resources, decrypts them with a hardcoded symmetric key/IV, performs in-memory unpacking, and exposes native APIs for memory allocation and writing into processes (VirtualAlloc, WriteProcessMemory, OpenProcess, etc.), plus reflection-based runtime code injection. Those capabilities are classic loader/injector behaviors and are not expected in a barcode rendering helper library. Treat this package as potentially malicious or trojanized: do not use until provenance and purpose of the obfuscated code are validated (vendor confirmation, signed binary, source correspondence).

Conclusion: The code fragment demonstrates aggressive obfuscation, dynamic code-generation, and substantial memory/interop features that align with loader/backdoor behavior and potential supply-chain abuse. Given the presence of /proc/self/mem access, extensive unmanaged interop, and opaque payload handling, there is a high likelihood of malicious or backdoor-like functionality. Treat as high-security-risk and perform a thorough binary integrity check, supply-chain vetting, and offline review before any deployment.

This source file implements behavior that is a significant supply-chain and runtime remote-code-execution risk: it writes sensitive configuration (including DecryptionKey) in plaintext to a predictable TEMP file and downloads+executes an .exe from a hard-coded raw URL without any integrity or authenticity checks. The code itself is not obfuscated, but its behavior enables arbitrary remote code to run with the caller's privileges and to access local secrets. Treat this component as high risk; require strict controls (signed binaries, integrity checks, secure storage for secrets, and explicit user/operator approval) before use.

This file contains a highly obfuscated runtime loader/patcher. It reads encrypted embedded data, decrypts it, allocates executable memory, writes to process memory (including via /proc/self/mem and WriteProcessMemory), patches runtime/JIT structures and method pointers, and then invokes the loaded code. It also includes anti-debug and anti-tamper checks. These behaviors constitute active in-memory code injection and execution and are strongly indicative of malicious or backdoor behavior; the component should be considered dangerous and not safe for inclusion in trusted builds.

This assembly contains two distinct aspects: an ostensibly normal image-components ASP.NET API surface and a large, heavily obfuscated runtime loader capable of decrypting embedded resources, allocating executable memory, writing bytes into process memory, patching runtime method pointers and executing arbitrary native code. Those capabilities are consistent with a reflective loader or in-memory code injector/backdoor. Unless there is a verifiable and documented legitimate reason (e.g., signed, audited native licensing component with clear documentation), treat this code as malicious or extremely high risk for supply-chain/backdoor behavior. Avoid using this package until provenance, signatures, and purpose are validated.

The BidCon.SDK fragment contains multiple critical security concerns: a hardcoded backdoor enabling admin login, use of DES with a static key/IV, unsafe deserialization via BinaryFormatter from attachments, and non-parameterized SQL that opens SQL injection avenues. These issues present a high risk to supply-chain integrity and runtime security. Mitigations include removing the backdoor, adopting parameterized queries, replacing BinaryFormatter with safe serializers (e.g., System.Text.Json/Protobuf), replacing DES with a modern, properly managed AES implementation, and reducing reliance on reflection/COM with strict input validation and whitelisting.

This file contains highly obfuscated code that reads embedded data/resources, decrypts it with a hardcoded AES key/IV, allocates and writes executable memory, resolves native function pointers and invokes them. It enumerates and manipulates process modules and performs Read/WriteProcessMemory and VirtualProtect operations. Those behaviors match an in-memory loader/injector or dropper (potentially shellcode execution) rather than benign library behavior. This is malicious or at minimum extremely high-risk and should be treated as a supply-chain/backdoor threat. Do not use this package; isolate and remove it and perform forensic review of systems where it ran.

Part of the NuGet campaign targeting Solana ecosystem developers; contains hidden malicious functionality to exfiltrate wallet data or otherwise enable theft (attributed to ReversingLabs).

This assembly contains a highly obfuscated runtime loader/protector component that reads encrypted embedded payloads or resources, decrypts them, allocates executable memory, patches runtime/JIT function pointers and writes into process memory (including /proc/self/mem and WriteProcessMemory) to execute code in-memory. Those operations are classic for packers/launchers and can be used as a supply-chain backdoor or to execute malicious payloads stealthily. Treat this package as high risk: remove or audit in a sandbox to extract and analyze decrypted payloads before use. If you expect a simple BIM export library, this behavior is unexpected and strongly suspicious.

This file contains a malicious module-level static initializer that spawns PowerShell to download and execute a remote .bat from a hardcoded URL at assembly-load time. That behavior constitutes remote code execution and a supply-chain/backdoor compromise. Do not use this assembly; obtain a clean, verified copy from the official distributor and investigate any systems where this binary was loaded.

This module contains an automated data-collection and exfiltration routine triggered from the Bluefish static constructor. It harvests system identifiers (MAC, disk/OS/CPU info, usernames, domain, local and public IPs) and sends them via SMTP using hardcoded credentials to at.packagelogs@gmail.com. The behavior is privacy-invasive and fits a supply-chain/telemetry exfiltration malicious pattern. The encryption functionality by itself is not inherently malicious, but the bundled hidden telemetry and hardcoded remote account are malicious. Do not trust or use this package in production; remove and treat any systems that used it as potentially compromised.

Conclusion: The sample exhibits high-risk characteristics consistent with a loader/backdoor or obfuscated payload carrier. While direct malicious actions are not explicitly shown, its capabilities (runtime code loading, unmanaged memory access, and anti-analysis patterns) pose substantial security risk in a supply-chain context. Treat as suspicious; implement rigorous provenance checks, signing, and isolate or exclude from production dependencies until a clean, auditable version is provided.

The fragment is highly suspicious and likely hazardous as a component payload. It comprises an extensive, obfuscated-like localization resource with Chrome/Chromium metadata and explicit malware indicators, suggesting potential backdoor/data-exfiltration risk if embedded in a package. Without clear executable entry points and proper context, it should be treated as high-risk in a supply chain and isolated from any distribution. A thorough code-path audit, provenance check, and removal from any public package is recommended.

This assembly contains a highly obfuscated runtime loader that decrypts embedded payloads and performs native memory allocation and writes, patches runtime function pointers (including CLR/JIT hooks), and can execute in-memory code. These are strong indicators of a backdoor/code-injection loader or loader-for-malicious payload. Even if parts are for legitimate protected plugin loading, the techniques (process memory writes, VirtualAlloc/mprotect, Marshal.WriteIntPtr replacing module pointers, /proc/self/mem usage) are dangerous for supply-chain use. I recommend treating this package as malicious/untrusted and removing it from sensitive environments; at minimum perform full offline analysis of embedded resources and dynamic behavior in a controlled sandbox before any use.

The code includes a global keyboard hook that captures keystrokes, which is characteristic of keylogger functionality and represents a significant security and privacy risk. Although no direct evidence of exfiltration or malicious network communication is present, the keylogging capability alone warrants a high malware and security risk score. The rest of the communication implementations appear standard and non-malicious. The code is not obfuscated. Users should be warned about the keylogging behavior and carefully consider the security implications before using this package.

The fragment exhibits multiple security concerns that elevate risk: pervasive hard-coded credentials (Dropbox tokens, Telegram bot tokens, FTP/DB credentials) and usage of cryptographic primitives with weak key handling, combined with extensive external network activity and privileged restart capabilities. These traits create substantial attack surface for credential exposure, data exfiltration, or persistence in a supply-chain context. Recommendation: eliminate hard-coded secrets, adopt secure secret management (vaults, env-based configuration with rotation), minimize and audit external communications, remove or restrict reflective/dynamic invocation, and implement thorough input validation and least-privilege controls. Consider sandboxing or removing bot-based alerting from production until credentials are rotated and access is restricted.

This assembly contains a heavily obfuscated runtime loader that reads embedded resources, decrypts them, allocates executable/native memory, patches runtime structures and executes code in-memory. Those behaviors are consistent with a malicious loader/backdoor or a packer that can install and run arbitrary native or managed payloads at runtime. The benign public API surface appears to be a decoy; the real activity happens in static initializers. This is a high-risk supply-chain artifact and should be treated as malicious; do not run or trust this package in production without thorough forensic review in a controlled environment.

Malicious package (published by DamienMcdougal) that steals wallet information (private keys, seed phrases, WIF) by injecting subtle exfiltration routines; identified by ReversingLabs.

NuGet package used in the campaign to impersonate Solana tooling; contains injected code to exfiltrate wallet data or otherwise redirect/steal crypto (ReversingLabs attribution).

This assembly contains a strongly obfuscated in-memory loader/runner that decrypts embedded payloads and uses native APIs to allocate, write, and execute code inside process memory. Those behaviors are not normal for a DICOM annotation converter and are consistent with a loader/backdoor or supply-chain implant. Do not trust the package; further dynamic and static forensic analysis of the decrypted payloads is required.

The source code is highly suspicious and likely malicious. It uses obfuscated PHP eval code and wget commands to download files from suspicious IP addresses, indicating potential malware behavior. The large unrelated data blob may be an evasion tactic. The provided reports are invalid and uninformative. This code poses a high security risk and should be treated as malware.

The fragment contains an injected, targeted, and intrusive behavior: when the client's locale and hostname match Russian patterns, and a timing condition is met, the code silently injects and attempts to play an external audio file and disables pointer interactions. This is not normal for a modal/dialog library and is a supply-chain style malicious insertion. Treat this as malicious/unwanted code and avoid using the affected package version; investigate commit history and package provenance.

Malicious NuGet package that exfiltrates Google Ads OAuth data (developer tokens, client IDs/secrets) to attacker servers, enabling full programmatic access to victims' Google Ads accounts (ReversingLabs).

This assembly is intentionally obfuscated and implements a runtime loader that decrypts/decodes embedded payloads and executes them in-process by allocating executable memory, copying bytes and creating delegates from pointers. Those patterns (VirtualAlloc/VirtualProtect + Marshal + delegate-from-pointer + excessive obfuscation + reflection into module internals) are characteristic of malicious loaders or techniques used for code injection and in-memory execution of arbitrary payloads. I recommend treating this package as malicious or at minimum extremely high risk; do not run it in production or on trusted systems. Further dynamic analysis of the embedded resources would be required to determine the exact payload behavior.

This file is malicious or highly suspicious. It implements an obfuscated in-memory loader/injector with cryptographic decryption of embedded payloads, reflective retrieval of module pointers, allocation/protection of executable memory and invocation through function-pointer delegates. Even though no explicit network exfiltration appears in the visible code, the capability to load and execute arbitrary native code in-process is present and constitutes a high-risk supply-chain/backdoor behavior. Do not trust or install this package; treat it as a runtime code execution/backdoor component.

This assembly contains legitimate-looking PDF/barcode rendering types but also includes heavily obfuscated code that reads encrypted embedded resources, decrypts them with a hardcoded symmetric key/IV, performs in-memory unpacking, and exposes native APIs for memory allocation and writing into processes (VirtualAlloc, WriteProcessMemory, OpenProcess, etc.), plus reflection-based runtime code injection. Those capabilities are classic loader/injector behaviors and are not expected in a barcode rendering helper library. Treat this package as potentially malicious or trojanized: do not use until provenance and purpose of the obfuscated code are validated (vendor confirmation, signed binary, source correspondence).

Conclusion: The code fragment demonstrates aggressive obfuscation, dynamic code-generation, and substantial memory/interop features that align with loader/backdoor behavior and potential supply-chain abuse. Given the presence of /proc/self/mem access, extensive unmanaged interop, and opaque payload handling, there is a high likelihood of malicious or backdoor-like functionality. Treat as high-security-risk and perform a thorough binary integrity check, supply-chain vetting, and offline review before any deployment.

This source file implements behavior that is a significant supply-chain and runtime remote-code-execution risk: it writes sensitive configuration (including DecryptionKey) in plaintext to a predictable TEMP file and downloads+executes an .exe from a hard-coded raw URL without any integrity or authenticity checks. The code itself is not obfuscated, but its behavior enables arbitrary remote code to run with the caller's privileges and to access local secrets. Treat this component as high risk; require strict controls (signed binaries, integrity checks, secure storage for secrets, and explicit user/operator approval) before use.

This file contains a highly obfuscated runtime loader/patcher. It reads encrypted embedded data, decrypts it, allocates executable memory, writes to process memory (including via /proc/self/mem and WriteProcessMemory), patches runtime/JIT structures and method pointers, and then invokes the loaded code. It also includes anti-debug and anti-tamper checks. These behaviors constitute active in-memory code injection and execution and are strongly indicative of malicious or backdoor behavior; the component should be considered dangerous and not safe for inclusion in trusted builds.

This assembly contains two distinct aspects: an ostensibly normal image-components ASP.NET API surface and a large, heavily obfuscated runtime loader capable of decrypting embedded resources, allocating executable memory, writing bytes into process memory, patching runtime method pointers and executing arbitrary native code. Those capabilities are consistent with a reflective loader or in-memory code injector/backdoor. Unless there is a verifiable and documented legitimate reason (e.g., signed, audited native licensing component with clear documentation), treat this code as malicious or extremely high risk for supply-chain/backdoor behavior. Avoid using this package until provenance, signatures, and purpose are validated.

The BidCon.SDK fragment contains multiple critical security concerns: a hardcoded backdoor enabling admin login, use of DES with a static key/IV, unsafe deserialization via BinaryFormatter from attachments, and non-parameterized SQL that opens SQL injection avenues. These issues present a high risk to supply-chain integrity and runtime security. Mitigations include removing the backdoor, adopting parameterized queries, replacing BinaryFormatter with safe serializers (e.g., System.Text.Json/Protobuf), replacing DES with a modern, properly managed AES implementation, and reducing reliance on reflection/COM with strict input validation and whitelisting.

This file contains highly obfuscated code that reads embedded data/resources, decrypts it with a hardcoded AES key/IV, allocates and writes executable memory, resolves native function pointers and invokes them. It enumerates and manipulates process modules and performs Read/WriteProcessMemory and VirtualProtect operations. Those behaviors match an in-memory loader/injector or dropper (potentially shellcode execution) rather than benign library behavior. This is malicious or at minimum extremely high-risk and should be treated as a supply-chain/backdoor threat. Do not use this package; isolate and remove it and perform forensic review of systems where it ran.