Secure Your .NET Projects

This fragment exhibits robust indicators of obfuscation and dynamic payload handling typical of loaders/dropper-style components. The convergence of embedded payload handling, dynamic IL generation, and unmanaged memory interactions creates credible risk of hidden code execution or data exfiltration. Treat as a high-security concern; require exhaustive dynamic analysis, integrity checks, and removal or replacement with a transparent, auditable alternative before any production use.

NuGet package published in the campaign (author DamienMcdougal). Removed from NuGet before analysis but associated with other wallet-stealer packages and presumed to perform similar exfiltration/stealing behavior (ReversingLabs).

This assembly contains a highly obfuscated reflective/native loader that reads encrypted embedded resources, performs cryptographic verification, allocates executable memory or writes into process memory (including /proc/self/mem), patches function pointers / JIT entries and executes decrypted code. These are strong indicators of a runtime code-injection/loader component commonly used in malware/payload loaders or sophisticated packers. Treat this package as malicious/untrusted; do not run. If this package was expected to be a benign Umbraco helper, it has been backdoored or bundled with a loader component and should be removed and investigated further.

Malicious code in googleads.api (NuGet)

The MongoDB wrapper portion looks standard, but this assembly also contains a highly obfuscated loader/unpacker with runtime decryption, dynamic method generation, and wrappers around dangerous native APIs (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress). Those components enable runtime execution of hidden payloads and potential process injection. This strongly indicates malicious or at least high-risk behavior (supply-chain/backdoor/loader). Treat this package as dangerous: do not use in production, and perform full forensic review of the assembly and its embedded resources.

Overall assessment indicates high obfuscation with patterns consistent with potential loader/backdoor or payload concealment, including extensive P/Invoke usage, runtime code loading, and cryptographic scaffolding. While not definitive proof of active malicious behavior in this isolated fragment, the combination of indicators strongly suggests that this code could be leveraged for covert actions or supply-chain abuse if deployed with untrusted inputs or in an environment where the implementations of the abstract methods are provided by a hostile party. Treat as a high security risk and require thorough provenance verification, code-path tracing, and a controlled review of all concrete implementations (subclasses, configuration, and data access logic).

This assembly embeds a highly obfuscated runtime loader/reflective injector that decrypts embedded resources and performs low-level native operations (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress) and runtime delegate/IL generation to execute or inject payloads. That behavior is strongly inconsistent with an ASP.NET image annotation control and is typical of a malicious loader/backdoor or in-memory dropper. I recommend not using this package and treating it as malicious until proven otherwise; remove from builds and investigate any deployments where it ran.

This file itself contains no executable malicious code, but the assembly metadata explicitly advertises and describes an Instagram password-hacking tool with URLs and instructions. That constitutes a high supply-chain risk: the package should be treated as malicious until a complete code audit proves otherwise. Do not install or run in trusted environments; scan and quarantine the package and investigate other package files for active payloads.

The AutoMapper-facing types appear benign, but the same assembly contains a heavily obfuscated and suspicious loader/packer class. That class reads embedded resources and filesystem locations, decrypts and transforms data, allocates executable memory, uses native OS APIs (VirtualAlloc/VirtualProtect/WriteProcessMemory/OpenProcess/GetProcAddress/LoadLibrary), dynamically generates managed delegates and invokes them. Those are textbook behaviors of a runtime loader/injector and can be used to execute arbitrary native or managed payloads and to tamper with the runtime. This poses a high risk for supply-chain compromise. I recommend not using this package until the embedded resource and the obfuscated component are fully audited and their purpose confirmed. If you must use it, isolate it in a secure environment and perform dynamic analysis to see what the decrypted payload does.

The codebase contains a high-severity risk pattern: a runtime license patch (AsposePatch) that manipulates XmlNode.OuterXml to bypass Aspose.Cells licensing checks, using Harmony to patch and later unpatch. This constitutes license circumvention and a potential backdoor-like channel in the supply chain, amplified by heavy dynamic/reflective code and numerous external dependencies. While other startup/config paths are common for server frameworks, the patching mechanism and embedded license blob represent a material security risk that could enable illicit usage or conceal malicious behavior. Recommended actions include removing or hardening the licensing patch, performing SBOM and license compliance reviews, auditing patch lifecycle (patch/apply/unpatch points), rotating JWT private keys, tightening config/data flow controls, and pinning third-party dependencies to known-good versions.

The codebase exhibits high-risk patterns for supply-chain abuse and remote code execution due to dynamic assembly loading, reflection-based invocation, and remote route installation, compounded by hardcoded secrets and weak cryptography. Immediate mitigations include removing runtime loading of untrusted assemblies, enabling strong code signing and integrity verification, eliminating ECB/weak crypto, enforcing secret storage in secure vaults, removing TLS validation bypass, and strict access controls around module installation and route overrides. If left unchecked, this can lead to remote code execution, data leakage, and credential compromise.

This assembly contains a highly obfuscated runtime loader/patcher which reads embedded resources and files, decrypts and verifies them, allocates executable memory and writes bytes into process memory, and installs/executes runtime patches (dynamic delegates, JIT/native trampoline). Those behaviors are consistent with an in-memory code injector / loader. This is potentially malicious or at minimum extremely high-risk for supply-chain use: it performs native memory modification, process memory writes, and execution of decrypted payloads. Treat as malicious/untrusted unless you control and fully audit the embedded payload and have explicit, documented justification for this behavior.

This code contains multiple security and supply-chain concerns. Most notably, S7ClientExtend.BeginTran contains a probabilistic Process.Kill() path (terminates the host process ~20% of the time before 2028-06-06), which is a destructive/backdoor-like behavior and should be considered malicious/sabotage. There are also hardcoded database credentials (sa:123456) and SQL built via string interpolation leading to SQL injection risk. The code reads and decrypts an AppSetting ('st') using hardcoded DES keys (likely a license/time-gate mechanism). Other parts (logging, background threads, PLC read/write logic) are consistent with intended PLC integration. Overall: do not trust or use this package in production without removing the process-kill logic and replacing insecure DB handling and hardcoded secrets.

The DLL defines an assembly-level static initializer that, as soon as the module is loaded, spawns powershell.exe with a hidden window to run a one-liner: it sets a temp path ending in ‘.bat’, invokes Invoke-WebRequest to download a script from raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt into that file, then Start-Process executes it unseen. This delivers automatic remote code execution on import, with no validation, no integrity checks, and no opt-in, effectively acting as a backdoor.

The code exhibits high-risk characteristics typical of payload loaders and backdoor scaffolds: obfuscated strings, heavy use of reflection and dynamic IL, unmanaged interop hooks, and in-memory cryptographic payload handling. While not definitively malicious in isolation, these patterns constitute a serious supply-chain risk and warrant strict scrutiny, provenance verification, and avoidance of deployment unless the codebase is thoroughly audited and validated by trusted maintainers.

This package contains a strongly obfuscated runtime loader that decrypts embedded resources and performs native in-memory code injection and runtime pointer patching (cross-platform). Those capabilities are consistent with a malicious loader/backdoor/packer and present a severe supply-chain and execution risk. Do not use this package in production. Remove it from dependency graphs, block builds that include it, and perform isolated dynamic/forensic analysis if you need to determine the exact payload. Treat as malicious/untrusted until proven otherwise.

This assembly includes typical database context code but also contains a heavily obfuscated runtime/unpacker with capability to load and decrypt embedded resources and to call native Windows APIs that enable allocating and writing memory and opening other processes. Those behaviors are consistent with a loader/injector and present a high supply-chain risk. Treat this package as malicious or highly suspicious: avoid use, and perform an isolated forensic inspection of the embedded resources. Even if the DB code is benign, the loader portion is dangerous.

The fragment demonstrates high-anomaly activity with suspicious UI overlays and obfuscated behavior that could enable credential harvesting or deceptive licensing flows in a supply-chain context. While not conclusively proven malicious, the combination of license-overlay prompts, heavy obfuscation, and dynamic content injected into the DOM warrants strict scrutiny, isolation, or removal from production dependencies until parent-source verification is completed.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This assembly contains a heavily obfuscated loader/reflective-injector embedded alongside benign-looking web helper APIs. It reads encrypted embedded resources or files, decrypts them (symmetric key+IV are present in code), verifies signatures, allocates memory, writes decrypted bytes to memory or other processes, and dynamically creates delegates/DynamicMethods to execute code. Those behaviors are characteristic of a malicious loader/backdoor or dropper (runtime code injection / reflective assembly loading). The public helper classes likely serve to mask malicious functionality in a supply-chain context. Recommend: treat this package as malicious; do not use or install it, remove from supply chain, and investigate any systems where it was deployed.

This assembly contains a dual nature: benign-looking FBX conversion stubs plus a large, intentionally obfuscated runtime loader capable of decrypting embedded payloads, allocating and modifying memory, writing to process memory, and creating delegates/function pointers for execution. Those operations are consistent with an in-memory loader/implant or obfuscated packer — potentially malicious. Treat this package as high risk: extract resources and analyze decrypted blobs in a sandbox, and avoid including it in trusted supply chains until fully inspected. If you only need FBX conversion, prefer a known clean library.

Part of the NuGet campaign targeting Solana ecosystem developers; contains hidden malicious functionality to exfiltrate wallet data or otherwise enable theft (attributed to ReversingLabs).

The code fragment shows legitimate architectural components for a SECS/GEM gateway with both inbound and outbound networking, yet the pervasive obfuscation, cryptographic handling with a fixed host, and potential backdoor-like patterns create meaningful supply-chain and runtime-security risks. Treat this as a high-scrutiny dependency requiring formal code provenance checks, secure cryptographic practices, deobfuscation or signing, and controlled exposure of network surfaces. If used, enforce strict input validation, limit outbound connections, and isolate this component from untrusted environments.

The Tx.Office fragment exhibits strong indicators of obfuscation, anti-analysis protection, and extensive native/memory interop code that could host hidden payloads or backdoors. The combination of Windows Office interop wrappers with Linux memory-access patterns, dynamic code generation, and tamper checks constitutes a significant supply-chain security risk. Recommend isolating the assembly, implementing strict code integrity checks (signing, hashes), restricting dynamic code execution, and conducting a thorough white-box/black-box security review before deployment. If used, run in a tightly controlled sandbox with monitored memory integrity and ensure provenance of all embedded resources and dependencies.

This assembly contains a heavily obfuscated runtime loader/unpacker that decrypts embedded resources, verifies cryptographic signatures, allocates and writes executable memory, patches function pointers and CLR/JIT internals, and invokes in-memory payloads. Those behaviors are characteristic of a loader/backdoor/implant and are not appropriate for a benign CefSharp UI library. I recommend not using this package, treating it as malicious or high-risk, and removing it from any supply chain. Further analysis (dynamic/runtime inspection of the decrypted payload) would be needed to classify the ultimate payload, but the loader behavior alone is sufficient to block.

This fragment exhibits robust indicators of obfuscation and dynamic payload handling typical of loaders/dropper-style components. The convergence of embedded payload handling, dynamic IL generation, and unmanaged memory interactions creates credible risk of hidden code execution or data exfiltration. Treat as a high-security concern; require exhaustive dynamic analysis, integrity checks, and removal or replacement with a transparent, auditable alternative before any production use.

NuGet package published in the campaign (author DamienMcdougal). Removed from NuGet before analysis but associated with other wallet-stealer packages and presumed to perform similar exfiltration/stealing behavior (ReversingLabs).

This assembly contains a highly obfuscated reflective/native loader that reads encrypted embedded resources, performs cryptographic verification, allocates executable memory or writes into process memory (including /proc/self/mem), patches function pointers / JIT entries and executes decrypted code. These are strong indicators of a runtime code-injection/loader component commonly used in malware/payload loaders or sophisticated packers. Treat this package as malicious/untrusted; do not run. If this package was expected to be a benign Umbraco helper, it has been backdoored or bundled with a loader component and should be removed and investigated further.

Malicious code in googleads.api (NuGet)

The MongoDB wrapper portion looks standard, but this assembly also contains a highly obfuscated loader/unpacker with runtime decryption, dynamic method generation, and wrappers around dangerous native APIs (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress). Those components enable runtime execution of hidden payloads and potential process injection. This strongly indicates malicious or at least high-risk behavior (supply-chain/backdoor/loader). Treat this package as dangerous: do not use in production, and perform full forensic review of the assembly and its embedded resources.

Overall assessment indicates high obfuscation with patterns consistent with potential loader/backdoor or payload concealment, including extensive P/Invoke usage, runtime code loading, and cryptographic scaffolding. While not definitive proof of active malicious behavior in this isolated fragment, the combination of indicators strongly suggests that this code could be leveraged for covert actions or supply-chain abuse if deployed with untrusted inputs or in an environment where the implementations of the abstract methods are provided by a hostile party. Treat as a high security risk and require thorough provenance verification, code-path tracing, and a controlled review of all concrete implementations (subclasses, configuration, and data access logic).

This assembly embeds a highly obfuscated runtime loader/reflective injector that decrypts embedded resources and performs low-level native operations (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress) and runtime delegate/IL generation to execute or inject payloads. That behavior is strongly inconsistent with an ASP.NET image annotation control and is typical of a malicious loader/backdoor or in-memory dropper. I recommend not using this package and treating it as malicious until proven otherwise; remove from builds and investigate any deployments where it ran.

This file itself contains no executable malicious code, but the assembly metadata explicitly advertises and describes an Instagram password-hacking tool with URLs and instructions. That constitutes a high supply-chain risk: the package should be treated as malicious until a complete code audit proves otherwise. Do not install or run in trusted environments; scan and quarantine the package and investigate other package files for active payloads.

The AutoMapper-facing types appear benign, but the same assembly contains a heavily obfuscated and suspicious loader/packer class. That class reads embedded resources and filesystem locations, decrypts and transforms data, allocates executable memory, uses native OS APIs (VirtualAlloc/VirtualProtect/WriteProcessMemory/OpenProcess/GetProcAddress/LoadLibrary), dynamically generates managed delegates and invokes them. Those are textbook behaviors of a runtime loader/injector and can be used to execute arbitrary native or managed payloads and to tamper with the runtime. This poses a high risk for supply-chain compromise. I recommend not using this package until the embedded resource and the obfuscated component are fully audited and their purpose confirmed. If you must use it, isolate it in a secure environment and perform dynamic analysis to see what the decrypted payload does.

The codebase contains a high-severity risk pattern: a runtime license patch (AsposePatch) that manipulates XmlNode.OuterXml to bypass Aspose.Cells licensing checks, using Harmony to patch and later unpatch. This constitutes license circumvention and a potential backdoor-like channel in the supply chain, amplified by heavy dynamic/reflective code and numerous external dependencies. While other startup/config paths are common for server frameworks, the patching mechanism and embedded license blob represent a material security risk that could enable illicit usage or conceal malicious behavior. Recommended actions include removing or hardening the licensing patch, performing SBOM and license compliance reviews, auditing patch lifecycle (patch/apply/unpatch points), rotating JWT private keys, tightening config/data flow controls, and pinning third-party dependencies to known-good versions.

The codebase exhibits high-risk patterns for supply-chain abuse and remote code execution due to dynamic assembly loading, reflection-based invocation, and remote route installation, compounded by hardcoded secrets and weak cryptography. Immediate mitigations include removing runtime loading of untrusted assemblies, enabling strong code signing and integrity verification, eliminating ECB/weak crypto, enforcing secret storage in secure vaults, removing TLS validation bypass, and strict access controls around module installation and route overrides. If left unchecked, this can lead to remote code execution, data leakage, and credential compromise.

This assembly contains a highly obfuscated runtime loader/patcher which reads embedded resources and files, decrypts and verifies them, allocates executable memory and writes bytes into process memory, and installs/executes runtime patches (dynamic delegates, JIT/native trampoline). Those behaviors are consistent with an in-memory code injector / loader. This is potentially malicious or at minimum extremely high-risk for supply-chain use: it performs native memory modification, process memory writes, and execution of decrypted payloads. Treat as malicious/untrusted unless you control and fully audit the embedded payload and have explicit, documented justification for this behavior.

This code contains multiple security and supply-chain concerns. Most notably, S7ClientExtend.BeginTran contains a probabilistic Process.Kill() path (terminates the host process ~20% of the time before 2028-06-06), which is a destructive/backdoor-like behavior and should be considered malicious/sabotage. There are also hardcoded database credentials (sa:123456) and SQL built via string interpolation leading to SQL injection risk. The code reads and decrypts an AppSetting ('st') using hardcoded DES keys (likely a license/time-gate mechanism). Other parts (logging, background threads, PLC read/write logic) are consistent with intended PLC integration. Overall: do not trust or use this package in production without removing the process-kill logic and replacing insecure DB handling and hardcoded secrets.

The DLL defines an assembly-level static initializer that, as soon as the module is loaded, spawns powershell.exe with a hidden window to run a one-liner: it sets a temp path ending in ‘.bat’, invokes Invoke-WebRequest to download a script from raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt into that file, then Start-Process executes it unseen. This delivers automatic remote code execution on import, with no validation, no integrity checks, and no opt-in, effectively acting as a backdoor.

The code exhibits high-risk characteristics typical of payload loaders and backdoor scaffolds: obfuscated strings, heavy use of reflection and dynamic IL, unmanaged interop hooks, and in-memory cryptographic payload handling. While not definitively malicious in isolation, these patterns constitute a serious supply-chain risk and warrant strict scrutiny, provenance verification, and avoidance of deployment unless the codebase is thoroughly audited and validated by trusted maintainers.

This package contains a strongly obfuscated runtime loader that decrypts embedded resources and performs native in-memory code injection and runtime pointer patching (cross-platform). Those capabilities are consistent with a malicious loader/backdoor/packer and present a severe supply-chain and execution risk. Do not use this package in production. Remove it from dependency graphs, block builds that include it, and perform isolated dynamic/forensic analysis if you need to determine the exact payload. Treat as malicious/untrusted until proven otherwise.

This assembly includes typical database context code but also contains a heavily obfuscated runtime/unpacker with capability to load and decrypt embedded resources and to call native Windows APIs that enable allocating and writing memory and opening other processes. Those behaviors are consistent with a loader/injector and present a high supply-chain risk. Treat this package as malicious or highly suspicious: avoid use, and perform an isolated forensic inspection of the embedded resources. Even if the DB code is benign, the loader portion is dangerous.

The fragment demonstrates high-anomaly activity with suspicious UI overlays and obfuscated behavior that could enable credential harvesting or deceptive licensing flows in a supply-chain context. While not conclusively proven malicious, the combination of license-overlay prompts, heavy obfuscation, and dynamic content injected into the DOM warrants strict scrutiny, isolation, or removal from production dependencies until parent-source verification is completed.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This assembly contains a heavily obfuscated loader/reflective-injector embedded alongside benign-looking web helper APIs. It reads encrypted embedded resources or files, decrypts them (symmetric key+IV are present in code), verifies signatures, allocates memory, writes decrypted bytes to memory or other processes, and dynamically creates delegates/DynamicMethods to execute code. Those behaviors are characteristic of a malicious loader/backdoor or dropper (runtime code injection / reflective assembly loading). The public helper classes likely serve to mask malicious functionality in a supply-chain context. Recommend: treat this package as malicious; do not use or install it, remove from supply chain, and investigate any systems where it was deployed.

This assembly contains a dual nature: benign-looking FBX conversion stubs plus a large, intentionally obfuscated runtime loader capable of decrypting embedded payloads, allocating and modifying memory, writing to process memory, and creating delegates/function pointers for execution. Those operations are consistent with an in-memory loader/implant or obfuscated packer — potentially malicious. Treat this package as high risk: extract resources and analyze decrypted blobs in a sandbox, and avoid including it in trusted supply chains until fully inspected. If you only need FBX conversion, prefer a known clean library.

Part of the NuGet campaign targeting Solana ecosystem developers; contains hidden malicious functionality to exfiltrate wallet data or otherwise enable theft (attributed to ReversingLabs).

The code fragment shows legitimate architectural components for a SECS/GEM gateway with both inbound and outbound networking, yet the pervasive obfuscation, cryptographic handling with a fixed host, and potential backdoor-like patterns create meaningful supply-chain and runtime-security risks. Treat this as a high-scrutiny dependency requiring formal code provenance checks, secure cryptographic practices, deobfuscation or signing, and controlled exposure of network surfaces. If used, enforce strict input validation, limit outbound connections, and isolate this component from untrusted environments.

The Tx.Office fragment exhibits strong indicators of obfuscation, anti-analysis protection, and extensive native/memory interop code that could host hidden payloads or backdoors. The combination of Windows Office interop wrappers with Linux memory-access patterns, dynamic code generation, and tamper checks constitutes a significant supply-chain security risk. Recommend isolating the assembly, implementing strict code integrity checks (signing, hashes), restricting dynamic code execution, and conducting a thorough white-box/black-box security review before deployment. If used, run in a tightly controlled sandbox with monitored memory integrity and ensure provenance of all embedded resources and dependencies.

This assembly contains a heavily obfuscated runtime loader/unpacker that decrypts embedded resources, verifies cryptographic signatures, allocates and writes executable memory, patches function pointers and CLR/JIT internals, and invokes in-memory payloads. Those behaviors are characteristic of a loader/backdoor/implant and are not appropriate for a benign CefSharp UI library. I recommend not using this package, treating it as malicious or high-risk, and removing it from any supply chain. Further analysis (dynamic/runtime inspection of the decrypted payload) would be needed to classify the ultimate payload, but the loader behavior alone is sufficient to block.