Malicious NuGet, npm Packages Target Developers

Cybersecurity researchers uncovered a sophisticated attack in February 2026, where four malicious NuGet packages targeted ASP.NET developers through the repository. The packages, downloaded thousands of times, aimed to steal sensitive identity data and manipulate authorization rules within web applications.

Published in August 2024 by a user named hamzazaheer, the packages worked in concert to establish a C2 proxy and exfiltrate information. Security researcher Kush Pandya explained the objective was to compromise the applications developers build rather than their machines directly.

Consequently, attackers could gain persistent admin-level access to any deployed application instance. The campaign’s components included a dropper, credential stealers, and a utility for hidden file execution.

Meanwhile, a separate npm campaign was discovered involving the package ambar-src. This malicious code, uploaded on February 13, 2026, exploited preinstall scripts to deliver different payloads based on the operating system, as detailed by Tenable.

This malware downloaded reverse shells for Linux and Windows and a JXA agent called Apfell for macOS. Its mature design suggests it evolved from a previous malicious package, eslint-verify-plugin.

Furthermore, the ambar-src package exfiltrated stolen data to a Yandex Cloud domain to blend with legitimate traffic. Tenable warned that any system with the package should be considered fully compromised, as removal does not guarantee all malware is eliminated.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• AI Spots Critical Bug In Major Ethereum Client
• Elliptic’s Lens Unifies Screening, Cuts Alert Time by 50%
• Hong Kong to Issue Stablecoin Licenses Next Month
• Circle Stock Soars 15%+ on Strong Q4 Earnings Beat
• Saylor’s “Sell a Kidney” Bitcoin Advice Costs Billions