Monday, June 16, 2025
HomeComputer SecurityHackers Abuse NuGet Packages to Deliver SeroXen RAT

Hackers Abuse NuGet Packages to Deliver SeroXen RAT

Published on

SIEM as a Service

Follow Us on Google News

The NuGet package manager, which .NET developers widely use, has been under attack by a series of malicious activities, according to a report by cybersecurity firm ReversingLabs. 

The intrusion, which follows previous investigations on npm, PyPI, and RubyGems ecosystems, shows that NuGet is also vulnerable to software supply chain attacks by threat actors.

The coordinated campaign that started in August involved attackers exploiting NuGet’s MSBuild integrations feature, demonstrating a more sophisticated and stealthy method of compromising the open-source ecosystem.

- Advertisement - Google News

The campaign, similar to earlier attacks on npm and PyPI, shows the persistent attempts of these attackers to undermine the trust and security of software packages.

The Hidden Danger: Abusing NuGet’s MSBuild Integrations

ReversingLabs researchers have discovered a novel execution technique used by these attackers. 

Instead of using conventional methods where malicious code is embedded in initialization and post-installation PowerShell scripts, the attackers used the `<packageID>.targets` file in the “build” directory. 

This technique allows them to conceal the malicious functionality, raising alarms about the quality of open-source packages.

The discovery goes back to a package named “IAmRootDemo,” which revealed the core of this execution technique. 

By exploiting MSBuild integrations, attackers can run code embedded in inline tasks, posing a significant security risk for developers depending on external packages.

Typosquatting and Decoy Packages

The malicious packages identified by ReversingLabs, such as ZendeskApi.Client.V2, Betalgo.Open.AI, and Forge.Open.AI, are part of the same elaborate scheme initiated in August. 

These packages cleverly used typosquatting on popular NuGet packages, making them hard to distinguish from legitimate ones. 

Utilizing MSBuild integrations
Utilizing MSBuild integrations to execute malicious code in NuGet packages


Moreover, the attackers used spaces and tabs to hide the malicious code, adding another level of deception.

The Ongoing Fight for Software Supply Chain Security

This revelation highlights the urgent need for improved visibility inside software packages to differentiate between malicious and legitimate functions. 

Traditional application security testing tools face difficulties in combating these advanced attacks, requiring specialized skills and modern solutions. 

ReversingLabs Software Supply Chain Security emerges as a vital tool, filling the gaps and enabling development and application security teams to protect their supply chains from compromise.

As developers navigate the complex landscape of open-source ecosystems, vigilance and proactive security measures are essential. 

The evolving tactics of threat actors require a collaborative effort from the cybersecurity community, developers, and organizations to ensure the integrity and security of software packages. Stay tuned for further updates as the cybersecurity landscape continues to evolve.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...