Malicious Packages Targeting ICS Software

Executive Summary 

Malicious NuGet packages containing time-delayed sabotage code are targeting Industrial Control Systems (ICS). These packages are capable of compromising a company’s databases and systems, leading to operational shutdowns. Recommended mitigation strategies involve removing malicious packages, monitoring supply chain, and actively patching vulnerabilities while the best practice is to enforce stricter package verification and constant monitoring of dependencies to better protect affected systems. By using these strategies businesses can increase their securities resilience against this threat.

Background 

Researchers have recently found out that NuGet packages have been sabotaged with payloads scheduled to activate between 2027 and 2028. These packages were made to target a brand of ICS devices called Siemens S7, a series of Programmable Logic Controllers (PLCs) used worldwide for businesses like manufacturing and energy [4]. These packages were published under an alias of “ShanHai666,” bundling legitimate code with harmful code making detection of malicious packages more difficult.

Researchers confirmed that one of the most dangerous packages, “Shap7Extend,” was a typosquat made to mimic the Sharp7 library to gain access to companies PLC communications [1]. This allowed attackers to make the package perform legitimate tasks during test runs while installing sabotage code on infected devices. This is a growing attack called supply chain attacks, which targets the distribution chain that companies use to update their systems and install new tools. This shows the growing trend of this attack and how attackers gain access to systems by disguising legitimate software with malicious code.

Further investigation found that these packages have been downloaded around 9,500 times and have embedded themselves into ICS systems worldwide [2]. The delayed activation reveals that there is a long-term sabotage plan designed to exploit more systems and escalate attacks if demands aren’t met. In addition,  immediate activation of payloads have only resulted in random crashes indicating  a sign that these payloads are not fully finished yet. The NuGet campaign represents a significant jump in supply chain attacks and the effects they may have on ICS systems [3].

Impact 

The main threat is the NuGet packages themselves being hidden logic bombs made to corrupt databases and sabotage PCL’s [2]. This is extremely dangerous to affected devices as it can weaken overall system security by bypassing security measures and can cause critical system failures in key sectors such as energy and water treatment plants. This means that ICS systems face great risk from compromised supply chains and any product they may have received from a malicious vendor. This threat calls for immediate action and implementation of security measures to prevent long term damage on critical systems.

Mitigation 

The best mitigation strategy starts with removing any NuGet packages from installed registries and enforcing stronger verification processes [3]. Companies should also implement tools that monitor their supply chain to verify packages and files, and patch vulnerabilities or exploits to mitigate the damage and chance of an attack. These strategies reduce the chance of malicious code reachingICS systems, making  early detection of tampered libraries or packages. The key to prevention is proactive supply chain planning to mitigate risks while ensuring the reliable delivery of essential components needed, ultimately balancing security with operational continuity is the best course of action.

Relevance 

ICS systems provide essential services to countries all around the world and attacks targeting those systems are actively endangering public safety by putting the everyday people at risk. Mitigation is strongly recommended because supply chain attacks can hide themselves in critical systems for years before activating, allowing more systems to get infected and the scale of attack increases. Effective mitigation strategies strengthen system resilience and help protect both the public image and safety from long-term attacks.

References 

[1] Daws, R. (2025, November 7). Malicious time bomb packages on NuGet target databases, industry. Developer‑Tech. https://www.developer-tech.com/news/malicious-time-bomb-packages-on-nuget-target-databases-industry/

[2] Lakshmanan, R. (2025, November 7). Hidden Logic Bombs in Malware‑Laced NuGet Packages Set to Detonate Years After Installation. The Hacker News. https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

[3] Muchai, F. (2025, November 8). 9 malicious NuGet packages caught hiding, set to detonate in 2027–2028. Cryptopolitan. https://www.cryptopolitan.com/malicious-nuget-to-detonate-2027-2028/

[4] Toulas, B. (2025, November 7). Malicious NuGet packages drop disruptive ‘time bombs’. BleepingComputer. https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/