Socket Exposes Malicious NuGet Packages Set to Detonate in 2027 and 2028—Time Bomb for Dev Ecosystems

Security researchers at Socket have uncovered a cluster of malicious NuGet packages lurking in dependency chains—programmed to activate in 2027 and 2028. These sleeper threats could bypass current detection tools, lying dormant until their trigger dates.

Why now? Because Wall Street wouldn’t care until the first bank gets hit. The packages mimic legitimate libraries, a supply-chain attack waiting to exploit future projects. Socket’s report suggests these could be test runs for larger campaigns.

Devs: Audit your dependencies now—unless you enjoy explaining breaches to the SEC. The 2027/2028 timeline gives teams a runway to purge these time bombs before they detonate.

9 NuGet hidden threats in legitimate code

The nine identified malicious packages could affect all three major database providers used in .NET applications: Microsoft SQL Server, PostgreSQL, and SQLite. One package, Sharp7Extend, specifically targets industrial PLCs used in manufacturing and process automation. 

Socket’s research propounded that the database could be vulnerable to a dual-purpose supply-chain attack threatening software development and critical infrastructure operations.

Pandya coined package Sharp7Extend as the most dangerous of the malicious packages, being a typosquat of the legitimate Sharp7 library .NET implementation for communicating with Siemens S7 programmable logic controllers. 

Appending “Extend” to the trusted name could help the malicious package “accidentally” install code through automation engineers searching for Sharp7 improvements. The package bundles the full unmodified Sharp7 library with its malicious payload. Standard PLC communication may appear as if it’s working as expected during testing, but the embedded malware is masked. 

“Sharp7Extend targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation,” the security researcher said.

The malicious packages use C# extension methods to add dangerous code to database and PLC operations without changing the original code. For database packages, an .Exec() method is added to command types, while Sharp7Extend adds a .BeginTran() method to S7Client objects. 

The extensions run automatically every time an application does a PLC action or a query. After the trigger date, the malware makes a random number between 1 and 100.

If the number exceeds 80, which there’s a 20% probability it will actually happen, the package immediately kills the running process using Process.GetCurrentProcess().Kill(). An abrupt termination then occurs without warnings or log entries that could seem like network instability, hardware faults, or other “non alarming” system errors.

Sharp7Extend also implements delayed write corruption through a timer that sets a 30–90 minute grace period. After the grace period, a filter method called ResFliter.fliter() begins silently failing write operations 80% of the time. 

Methods affected include WriteDBSingleByte, WriteDBSingleInt, and WriteDBSingleDInt. Operations appear successful while data is not actually written to the PLC.

Timer set for August 2027 to November 2028

Socket security’s report said certain database-focused packages in the campaign’s crossroads, including MCDbRepository, are slated to execute their payload on August 8, 2027. SqlUnicornCore and SqlUnicornCoreTest could likely go active on November 29, 2028.

“This staggered approach gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems,” Pandya explained.

Socket’s investigation found that the name “shanhai666” and portions of the source code is of Chinese origin.

In September, cybersecurity analysts uncovered code on Microsoft Internet Information Services (IIS) servers that had been exploiting vulnerabilities since 2003. The operation involves malicious IIS modules used for remote command execution and search engine optimization (SEO) fraud.

Get $50 free to trade crypto when you sign up to Bybit now