- NuGet campaign exfiltrated ASP.NET Identity data and created backdoors after amassing over 4,500 downloads.
- Separately, a malicious npm package, ambar-src, was downloaded over 50,000 times before its removal.
- Both supply chain attacks target developers to compromise the applications they build or the machines they use.
Cybersecurity researchers uncovered a sophisticated attack in February 2026, where four malicious NuGet packages targeted ASP.NET developers through the repository. The packages, downloaded thousands of times, aimed to steal sensitive identity data and manipulate authorization rules within web applications.
Published in August 2024 by a user named hamzazaheer, the packages worked in concert to establish a C2 proxy and exfiltrate information. Security researcher Kush Pandya explained the objective was to compromise the applications developers build rather than their machines directly.
Consequently, attackers could gain persistent admin-level access to any deployed application instance. The campaign’s components included a dropper, credential stealers, and a utility for hidden file execution.
Meanwhile, a separate npm campaign was discovered involving the package ambar-src. This malicious code, uploaded on February 13, 2026, exploited preinstall scripts to deliver different payloads based on the operating system, as detailed by Tenable.
This malware downloaded reverse shells for Linux and Windows and a JXA agent called Apfell for macOS. Its mature design suggests it evolved from a previous malicious package, eslint-verify-plugin.
Furthermore, the ambar-src package exfiltrated stolen data to a Yandex Cloud domain to blend with legitimate traffic. Tenable warned that any system with the package should be considered fully compromised, as removal does not guarantee all malware is eliminated.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
