Pierluigi Paganini November 10, 2025

Nine NuGet packages by “shanhai666” can deploy delayed payloads to disrupt databases and industrial systems.

Socket’s Threat Research Team discovered nine malicious NuGet packages, published between 2023 and 2024 by “shanhai666,” that can deploy time-delayed payloads to disrupt databases and industrial control systems. Scheduled to trigger in August 2027 and November 2028, the packages were downloaded 9,488 times, according to supply chain security firm Socket.

According to the researchers, Sharp7Extend is the most dangerous package that targets industrial PLCs with dual sabotage mechanisms.

“The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments.” reads the report published by Socket.

Socket shared its findings with NuGet on November 5, 2025; the platform confirmed an investigation and removal efforts.

Almost every malicious package (99%) contain fully functional code that performs as advertised.

Below is the list of malicious packages:

• SqlUnicorn.Core
• SqlDbRepository
• SqlLiteRepository
• SqlUnicornCoreTest
• SqlUnicornCore
• SqlRepository
• MyDbRepository
• MCDbRepository
• Sharp7Extend

Malicious packages target SQL Server, PostgreSQL, SQLite and industrial PLCs via a typosquat called Sharp7Extend, which bundles the genuine Sharp7 library alongside concealed malware to evade detection. Socket’s AI scanner flagged Sharp7Extend. The malware weaponizes C# extension methods (.Exec and .BeginTran) to intercept operations, check hardcoded or encrypted trigger dates, and once triggers pass it probabilistically terminates processes with a 20% chance. Triggers are staggered: one SQL Server build activates on August 8, 2027; other database builds activate on November 29, 2028; Sharp7Extend activates immediately and runs until June 6, 2028, maximizing stealth and potential impact.

“The malicious packages strategically target all three major database providers used in .NET applications (SQL Server, PostgreSQL, SQLite), plus industrial control systems through the Sharp7Extend package.” continues the report. “The Sharp7Extend package specifically targets users of the legitimate Sharp7 library, a popular .NET implementation for communicating with Siemens S7 PLCs (Programmable Logic Controllers). By appending “Extend” to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements. This typosquatting technique increases the likelihood of accidental installation in industrial automation and manufacturing environments where Sharp7 is commonly deployed.”

Malicious NuGet packages have been found that secretly sabotage databases and industrial control systems. They work by adding hidden C# methods (.Exec() for databases and .BeginTran() for PLCs) that can randomly crash applications. Some triggers are set for future dates (2027–2028), while one package, Sharp7Extend, starts causing problems immediately and continues until June 2028.

Sharp7Extend also silently corrupts data: after an initial 30–90 minute grace period, 80% of write operations fail without any error messages, affecting actuators, setpoints, safety systems, and production controls. Combined, these two mechanisms cause random crashes and hidden data corruption, making it very hard to detect the attack.

The researchers noticed that all packages use the alias shanhai666, but metadata varies to hide connections. Chinese-language comments and malformed signatures suggest a Chinese origin and deliberate evasion of security detection.

The attacker’s identity remains unknown, but code analysis and the alias “shanhai666” suggest the threat actor may be of Chinese origin.

“This campaign demonstrates sophisticated techniques rarely combined in NuGet supply chain attacks,” concludes the report. “The time gap between installation and activation, up to three years for database packages, 30-90 minutes for Sharp7Extend’s write sabotage, immediate for Sharp7Extend’s process termination makes attribution nearly impossible. Developers who installed packages in 2024 will have moved to other projects or companies by 2027-2028 when the database malware triggers, and the 20% probabilistic execution disguises systematic attacks as random crashes or hardware failures.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)