Between August 2024 and October 2025, security researchers publicly disclosed four separate typosquatting campaigns on the NuGet registry, together accounting for tens of thousands of downloads before takedown. The most recent, a homoglyph attack impersonating the popular Nethereum blockchain library, was reported on October 18, 2025 and removed by the NuGet team roughly four days later. Taken individually, each incident reads like an isolated cleanup. Taken together, they describe a campaign pattern: NuGet has become a proving ground for typosquatting techniques that are more patient, more targeted, and harder to catch in code review than the throwaway malware that once defined the technique.
This report walks through the four disclosed campaigns, extracts the common tradecraft behind them, and outlines what defenders should be watching for in the .NET ecosystem going forward.
The Scope of the Problem
NuGet has historically drawn less attacker attention than npm or PyPI, largely because enterprise .NET shops tend to pin dependencies more conservatively and package counts are smaller. That assumption no longer holds. Since mid-2024, at least four distinct threat actors or campaigns have used typosquatting, name-confusion, and homoglyph tricks to get malicious .NET packages in front of developers:
- August 2024 — A coordinated campaign using four interlinked packages (
NCryptYo,DOMOAuth2_,IRAOAuth2.0,SimpleWriter_) published between August 12–21, 2024, under the NuGet alias "hamzazaheer," accumulating more than 4,500 downloads before disclosure. - 2023–2024, disclosed November 2025 — Nine packages published under the alias "shanhai666," most notably
Sharp7Extend, a typosquat of the widely used Siemens S7 PLC communication librarySharp7. Combined downloads reached 9,488 before the packages were reported to NuGet on November 5, 2025. - October 2025 — A wallet-theft campaign impersonating the Nethereum Ethereum SDK, using both a plain typosquat (
NethereumNet) and a Cyrillic homoglyph variant (Netherеum.All, with a Cyrillic "е" substituted for the Latin one). - February 2026 —
StripeApi.Net, a package designed to mimic the officialStripe.netclient library used by payment integrations.
Each of these campaigns targeted a different developer population — identity and auth developers, industrial automation engineers, crypto-wallet integrators, and payments teams — which suggests typosquatting on NuGet is no longer opportunistic spray-and-pray. It is being run as a set of parallel, audience-specific operations.
Case Study: Sharp7Extend and the Industrial Control Systems Time Bomb
The most consequential campaign to date targeted Sharp7, a .NET library used to communicate with Siemens S7 programmable logic controllers (PLCs) in manufacturing and industrial environments. The malicious package, Sharp7Extend, exploited a naming pattern developers commonly search for — an "extended" or "enhanced" version of a known library.
What made Sharp7Extend unusually hard to catch is that it bundled the complete, unmodified, legitimate Sharp7 library (version 1.1.79, authored by Federico Barresi) alongside its malicious payload. A developer who imported the package and exercised its PLC communication functions would see it work exactly as expected — because it was, functionally, the real thing plus a hidden second stage. Static review and even light dynamic testing would show 99% legitimate behavior.
The sabotage logic operated on two timers. Immediately upon use, the package introduced a 20% random failure rate on PLC communication calls, silently dropping commands such as safety-system engagement or setpoint updates while reporting success to the calling application. A second, delayed mechanism activated 30–90 minutes after load, causing write operations to silently return zero instead of the actual result 80% of the time. Both mechanisms were also gated behind hardcoded trigger dates in 2027 and 2028 — a deliberate choice to outlive the typical incident-response window and make retrospective attribution and cleanup far harder. Socket's research team, which disclosed the campaign, noted that portions of the code and the "shanhai666" alias point toward Chinese-language origin, though attribution to a specific actor remains unconfirmed.
This is a materially different threat model than credential-stealing malware: it is a pre-positioned capability for physical-process disruption in manufacturing and critical infrastructure, delivered through a routine dependency update.
Case Study: Wallet Theft via Homoglyph Typosquatting
The Nethereum campaign, disclosed in October 2025, illustrates a second technique class: visual deception rather than misspelling. Alongside a conventional typosquat (NethereumNet), the actor published Netherеum.All, substituting a Cyrillic "е" (U+0435) for the Latin "e" in the legitimate Nethereum name — a string that is visually identical in most fonts and package listings but fails exact-match comparisons used by allowlisting or dependency-pinning tools that aren't Unicode-aware.
Both packages contained an XOR-decoded routine that established a runtime command-and-control channel used to exfiltrate private keys, mnemonic seed phrases, and other wallet key material — a direct path to financial theft for any application or service integrating blockchain functionality. NuGet suspended the publisher and removed the homoglyph package on October 20, 2025, about four days after the report reached the registry's security team — a relatively fast turnaround, but one that still left a multi-day exposure window for anyone who had already pulled the package into a build.
Case Study: Hijacking Authentication Flows
The August 2024 campaign against ASP.NET developers took a subtler approach: rather than stealing data outright, the four packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) were designed to intercept ASP.NET Identity authorization flows. Once integrated, they exfiltrated user and permission data and injected attacker-controlled authorization rules — effectively giving the operator a path to escalate privileges or grant themselves access inside applications that trusted these packages for authentication plumbing. Naming choices leaned on OAuth- and identity-adjacent terminology that would read as plausible utility libraries to a developer scanning search results under time pressure.
Common Tradecraft Across Campaigns
Reviewing these four campaigns side by side surfaces a consistent playbook:
- Name-adjacency over exact copying. Attackers append terms like "Extend," "Net," or "All" to legitimate, well-known library names rather than copying them outright, banking on developers not double-checking a package that "sounds right" for what they were already searching for.
- Bundling real functionality. The most effective packages (
Sharp7Extendin particular) include the genuine upstream library so the package behaves correctly, buying the malicious code time and cover. - Delay and probability as evasion. Rather than firing on install, payloads increasingly use randomized failure rates, multi-hour delays, and multi-year-forward trigger dates — techniques built specifically to defeat sandboxed analysis and short observation windows.
- Targeting by developer population. Campaigns are increasingly built around a specific audience — industrial engineers, crypto integrators, identity developers, payments teams — rather than casting a wide net, which increases the odds a plausible-sounding name gets past a distracted reviewer.
- Unicode and encoding tricks. Homoglyph substitution defeats naive string-matching in both human review and automated allowlist tooling that isn't normalized for Unicode confusables.
Why This Matters for .NET Supply Chains
NuGet's package model — heavy use of MSBuild targets, transitive dependencies pulled automatically on restore, and a registry that, like its peers, allows any account to publish under a plausible name — gives typosquatted packages the same blast radius as legitimate ones the moment they're referenced in a .csproj or packages.config. Unlike a phishing email, a malicious NuGet package doesn't need a user to click anything; it needs a developer to run dotnet restore. And as the Sharp7Extend case shows, the payload doesn't even need to be exotic — it can be legitimate code with a time bomb attached, which is far harder for either human reviewers or traditional signature-based scanners to flag.
How Safeguard Helps
Safeguard is built to catch exactly this class of threat before it reaches production. Our SBOM generation and ingest pipeline maintains a continuously updated inventory of every NuGet (and cross-ecosystem) dependency in your applications, including transitive packages that typosquats like Sharp7Extend rely on to hide, so a name-confusion package entering your tree is visible the moment it lands rather than discovered months later during an audit. Griffin AI, Safeguard's detection engine, is trained on the tradecraft patterns above — name-adjacency, bundled-legitimate-code cover, and delayed or probabilistic payload triggers — to flag suspicious new packages and publisher behavior faster than manual review can. Reachability analysis then tells your team whether a flagged package's malicious code paths are actually invoked by your application, cutting through alert noise so security teams can prioritize the dependencies that pose real risk instead of chasing every match in the SBOM. Where a typosquat or vulnerable transitive dependency is confirmed, Safeguard can generate an auto-fix pull request that swaps in the correct package or a patched version, turning a multi-day incident-response cycle into a same-day merge.