2027 Time Bomb: Covert NuGet Packages Target SQL and PLCs with Scheduled Sabotage

by ddos · November 10, 2025

Researchers discovered several NuGet packages in the public registry that conceal covert sabotage code scheduled to activate in 2027 and 2028. The tainted packages target three popular .NET data engines—Microsoft SQL Server, PostgreSQL, and SQLite—and one component is deliberately disguised as a library for interfacing with Siemens S7 PLCs.

Analysts at Socket identified nine packages published under the account shanhai666. At first glance the libraries behaved like ordinary modules—roughly 99% of their code performed legitimate functions, so maintainers could easily overlook anything suspicious. Yet each package harbored a tiny malicious fragment—an approximately 20-line routine woven into standard application calls.

The insertion technique exploits C# extension methods. Those extensions execute on every database operation or PLC interaction, which allows the malicious snippet to enter the execution flow without altering application interfaces. Internally the code checks the system date: if it falls within a hard-coded window (from 8 August 2027 to 29 November 2028), a random number between 1 and 100 is generated. If the value exceeds 80 (about 20% probability), the code invokes Process.GetCurrentProcess().Kill(), abruptly terminating the current process.

For server applications and high-throughput services such behavior translates into sudden service crashes and interruptions of request processing. In industrial environments the same logic can sever connections to equipment and disable critical control nodes.

A particular concern is the package Sharp7Extend, masquerading as an extension to the well-known Sharp7 library—a .NET solution for Siemens S7 PLC communication. The attacker intentionally chose a closely similar name, betting that developers searching for “improvements” to Sharp7 would discover and adopt it. This counterfeit library implements two attack modes.

The first mode triggers immediate session termination: when a transactional function is invoked, 20% of calls forcibly terminate, halting exchanges with the controller. This mode remains active until 6 June 2028. The second, more insidious mode attempts to read a nonexistent configuration value, breaking initialization; it then enables a write-operation filter and imposes an artificial delay of 30 to 90 minutes. After the delay, parameters matching the filter have an 80% chance of being corrupted. The consequences are severe: actuators stop receiving commands, setpoints are not updated, protective systems fail to engage, and process variables remain stale or adopt erroneous values.

The combination of immediate process termination and delayed data corruption makes the attack multi-staged: first monitoring and communications are disrupted; then a latent fault is planted in the control logic that later manifests as safety and process failures.

When publishing their findings, researchers noted that the shanhai666 account originally hosted 12 packages, but only 9 contained the malicious payload; after tens of thousands of downloads (around 9.5k), the account and its packages were removed from the catalog. Nevertheless, risk persists: projects that already consumed these dependencies may be compromised once the triggers activate.

Practical guidance for development teams and industrial operators is as follows. First—immediately audit the dependency list and check for these package names: SqlUnicorn.Core, SqlDbRepository, SqlLiteRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlRepository, MyDbRepository, MCDbRepository, and Sharp7Extend. If a match is found—remove the component, roll back to a verified safe build, and restore applications from trusted backups. Second—inventory downloads and build artifacts to ensure the toolchain has not pulled infected versions.

For industrial controllers, separately inspect write-operation logs: compare recorded values to expected setpoints, trace missing or malformed commands, and review protection-trigger logs. Where feasible, implement validation of written data—checksums, transactional confirmations, or a secondary confirmation channel for critical setpoints. Finally, tighten the policy for accepting third-party modules: forbid automatic inclusion of unvetted extensions, require vendor digital signatures, and scan code for suspicious constructs.

The report’s authors stress that motives and attribution remain unknown, but the implementation demonstrates a well-crafted supply-chain attack. A tiny malicious fragment embedded within trusted libraries can inflict serious disruption across IT infrastructures and industrial processes unless swift detection and remediation measures are taken.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal