Safeguard
Vulnerabilities

The Moq Vulnerability: What Happened and What to Do

The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.

Safeguard Research Team
Research
5 min read

The Moq vulnerability everyone in the .NET ecosystem started talking about in August 2023 wasn't a traditional code-execution CVE — it was the discovery that Moq, one of the most widely used mocking libraries for .NET unit testing, had quietly added a dependency called SponsorLink starting in version 4.20.0. SponsorLink collected developers' email addresses (hashed, but still extracted from local git configuration) during the build process, without a clear opt-in, as part of a plan to nudge users toward sponsoring the project financially. It wasn't malware and it didn't exfiltrate source code, but it landed in millions of build pipelines through a routine, unremarkable-looking version bump — which is exactly what made it alarming.

What did Moq's SponsorLink dependency actually do?

SponsorLink, developed by the same maintainer behind another popular library, AutoMapper, hashed a developer's email address (pulled from the local git configuration during the build) and sent that hash to a remote endpoint to check sponsorship status, with the eventual intent of nagging non-sponsors in build output. The mechanism ran during the build process itself — inside CI pipelines, on developer machines, anywhere dotnet build or dotnet test executed against a project referencing the affected Moq version — without an explicit consent step most developers would have noticed before it happened. The reaction was swift: developers flagged it as an undisclosed data collection practice bundled into a testing library that had no business making network calls at all, and the backlash was strong enough that the maintainer walked the behavior back within days, decoupling SponsorLink from Moq entirely in a follow-up release.

Why did this incident worry people more than a typical CVE?

Because it exposed a blind spot that version-based vulnerability scanning doesn't cover: a scanner checking Moq against a CVE database would have shown nothing, since there was no assigned CVE and no code-execution exploit — the "vulnerability" was a behavioral and trust issue, not a memory-safety or injection bug. Moq had over 100 million downloads at the time, meaning the change touched an enormous number of build pipelines silently, through what looked like an entirely routine dependency update. It's a similar shape to the node-ipc "protestware" incident and other cases where a maintainer used their position to make an unrequested change to widely depended-upon software — the mechanism differs each time, but the underlying gap is the same: nothing in a standard update process forces a human to review what a new version actually does before it's pulled into a build.

What should teams have done differently, and what can they do now?

Pin dependency versions deliberately and review the diff before bumping a widely used library, especially a build-time or test-time dependency that has no obvious reason to need network access. The uncomfortable truth is that most teams don't review changelogs for transitive dependencies at all, let alone diff the actual package contents, which is why this kind of change reaches production build pipelines undetected until someone happens to notice unusual network activity or unexpected build output. Practically, that means treating build and test tooling with the same scrutiny as production dependencies — a mocking library has no legitimate reason to phone home during a test run — and using tooling that can flag new outbound network behavior or newly introduced dependencies in an update, not just known-CVE matches.

Does this kind of incident count as a supply chain attack?

Not in the malicious sense — SponsorLink wasn't designed to steal credentials or execute arbitrary code, and the maintainer reversed course under community pressure. But it belongs in the same conversation as supply chain security more broadly, because it demonstrates the same structural risk: a single maintainer decision, rolled out through the normal update channel, reaching every downstream consumer without a review gate. Whether the motivation is financial (as here), ideological (as with node-ipc), or criminal (as with event-stream or the 2025 chalk/debug compromise), the delivery mechanism — an ordinary-looking version bump to a trusted package — is identical, and it's why supply chain monitoring needs to watch for behavioral change, not just match version strings against a CVE list.

FAQ

Was there an official CVE assigned to the Moq/SponsorLink incident?

It generated significant community concern and press coverage, but the core issue was undisclosed data collection behavior rather than a classic exploitable vulnerability, so it wasn't treated the same way a memory-safety or injection CVE would be in vulnerability databases.

Is Moq still safe to use?

The maintainer removed the SponsorLink dependency shortly after the backlash, and current versions don't include it. Teams should still pin and review dependency updates as a general practice, independent of this specific incident.

How is this different from a typosquatting attack?

Typosquatting relies on a fake package with a similar name to a real one. This incident involved the real, legitimate package itself, maintained by its actual author, making an undisclosed change — a different and in some ways harder threat to detect with automated tooling.

Can SCA tools catch this kind of issue?

Standard CVE-matching SCA tools generally can't, since there's no vulnerability database entry for behavioral changes like this. Tools that monitor for new dependencies, unexpected network calls, or diff-level changes between versions are better positioned to flag this class of risk.

How Safeguard Helps

Safeguard's SCA engine tracks dependency version changes across every build and flags newly introduced transitive dependencies, which is exactly the kind of change that let SponsorLink ride into millions of pipelines unnoticed. Griffin, Safeguard's AI analysis layer, reviews package updates for behavioral anomalies beyond known-CVE matching, so an unexpected new network call or credential-adjacent behavior in a routine version bump gets flagged before it reaches a production build.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.