SecurityWeek reports that malicious NuGet packages are being leveraged in a new attack aimed at .NET developers.
Such malicious packages have been downloaded almost 150,000 times, with the most popular package being Coinbase.Core, which had more than 120,000 downloads prior to its removal from the NuGet repository, according to a JFrog report, which noted attackers' use of typosquatting to lure downloads.
Researchers discovered that the packages contained a PowerShell script that facilitated the retrieval of a second Windows executable file payload with cryptocurrency theft, Electron archive code extraction and execution, and updater executable deployment capabilities.
"The top three packages were downloaded an incredible amount of times this could be an indicator that the attack was highly successful, infecting a large amount of machines. However, this is not a fully reliable indicator of the attacks success since the attackers could have automatically inflated the download count (with bots) to make the packages seem more legitimate," said JFrog.