Malicious NuGet packages carry time-delayed logic bombs targeting databases and industrial control systems
Take action: If you're using .NET/NuGet packages for database or for Siemens PLCs, immediately audit your projects for these nine malicious packages: SqlUnicorn.Core, SqlDbRepository, SqlLiteRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlRepository, MyDbRepository, MCDbRepository, and Sharp7Extend. If found, assume full compromise, remove them immediately.
Learn More
Socket's Threat research is reporting a supply chain attack with nine malicious NuGet packages that deploy time-delayed destructive payloads targeting database operations and industrial control systems.
Published under the NuGet alias "shanhai666" between 2023 and 2024, the malicious packages accumulated 9,488 downloads before being reported to NuGet on November 5, 2025. They have now been removed from the registry.
Each malicious package contains approximately 99% legitimate, fully functional code that provides genuine repository patterns, transaction management, LINQ support, pagination, async operations, and entity mapping features. The legitimate functionality serves as an elaborate cover, building developer trust and passing code reviews. The malicious payload is concealed in 20 lines buried within thousands of lines of working implementation.
The threat actor even published three completely legitimate packages alongside the malicious ones to establish credibility and reduce suspicion when developers research the author's profile.
The malware exploits C# extension methods to transparently inject malicious logic into every database query and programmable logic controller operation. The malicious packages add an .Exec() extension method to database command types and a .BeginTran() method to S7Client objects, which automatically execute each time an application performs these operations.
After hardcoded trigger dates are reached, the malware employs a probabilistic execution pattern. It generates a random number between 1 and 100, and if the number exceeds 80—creating a 20% probability—the malware calls Process.GetCurrentProcess().Kill(), immediately terminating the entire application without warning or error logging. The trigger dates are strategically staggered: one SQL Server implementation activates on August 8, 2027, while PostgreSQL, SQLite, and alternate SQL Server implementations trigger on November 29, 2028. This multi-year delay between installation and activation makes attribution nearly impossible, as developers who installed the packages in 2023-2024 will likely have moved to different projects or companies by the time the malware activates.
The nine identified malicious packages are:
- SqlUnicorn.Core
- SqlDbRepository
- SqlLiteRepository
- SqlUnicornCoreTest
- SqlUnicornCore
- SqlRepository
- MyDbRepository
- MCDbRepository
- Sharp7Extend
The most dangerous package in the campaign is Sharp7Extend, which specifically targets industrial control systems through sophisticated typosquatting. By appending "Extend" to the trusted Sharp7, a popular .NET library for communicating with Siemens S7 programmable logic controllers the threat actor exploits developers searching for Sharp7 extensions or enhancements.
Unlike the database-focused packages with delayed activation, Sharp7Extend implements dual sabotage mechanisms with inverted logic that creates operational chaos:
- The first mechanism triggers on every S7 PLC connection operation with 20% probability per operation, causing complete application termination. This mechanism is active immediately on installation and continues until June 6, 2028, when the termination process stops.
- The second mechanism is a write operation sabotage that uses a time-delayed fallback disguised as configuration-based control. The code attempts to read a double-DES-encrypted trigger date from a configuration value that does not exist in the deployed package, causing initialization to always fail and fall back to a randomized delay between 30 and 90 minutes.
Analysis of the package metadata reveals deliberate obfuscation tactics designed to evade detection. All packages were published under the NuGet alias shanhai666 but the package metadata displays different author names of the malicious packages, creating the false impression that packages originate from different developers and evading detection systems that flag multiple suspicious packages from the same author.
Multiple indicators suggest the threat actor may be of Chinese origin. The alias "shanhai666" appears to be Chinese—"shanhai" (山海) means "mountains and seas" or could reference the mythological text Shan Hai Jing, while "666" is Chinese internet slang meaning "excellent" or "smooth." Code analysis reveals Chinese-language comments throughout several malicious DLLs, including error messages such as "出现异常" (exception occurred), "数据请求地址不正确" (data request address incorrect), and "连接失败" (connection failed). Additionally, some package metadata contains Chinese characters in descriptions and author fields.
Organizations must immediately audit all .NET dependencies for the nine malicious packages and assume any system containing these packages is fully compromised. Industrial control systems running Sharp7Extend may already be experiencing intermittent failures masquerading as PLC communication issues.
