64
Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation
(thehackernews.com)
this post was submitted on 07 Nov 2025
64 points (98.5% liked)
Cybersecurity
9772 readers
2 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I had to look it up, NuGet is the package manager for .NET, sort of a counterpart to NPM, I guess. Anyone know if these packages are distributed as source code?
Source code only NuGet packages exists, but they are not very common. NuGet packages are just zip files that contain a manifest file and usually a couple of .NET assemblies. Since its basically just a versioned zip file with some targeting information you can package whatever you want with it.
Well, do the packages tend to be closed source? .deb packages are also often just binary, but there is usually a separate source package available.
They vary by publisher
Many packages are open source, some are not. Source code is usually not distributed via NuGet you can instead use the project URL from the manifest to find the sources if they are available.