NuGet Package Under Scrutiny: Industrial Espionage Suspected

Specialists at ReversingLabs have uncovered a suspicious package within the NuGet package manager, ostensibly targeting developers who utilize tools from the Chinese company Bozhon Precision Industry Technology, which specializes in the production of industrial and digital equipment.

The package, named SqzrFramework480, was first published on January 24, 2024, and has been downloaded 2,999 times to date. It contains a DLL library, “SqzrFramework480.dll,” which is equipped with functions for taking screenshots, sending them to a remote IP address, and continuously checking the connection with the IP address every 30 seconds.

According to ReversingLabs, while these actions individually may not be considered malicious, collectively they raise suspicions and could indicate an attempt at industrial espionage, especially in systems equipped with cameras, machine vision, and robotic arms.

The amalgamation of these functions in a single package breaches security protocols and may suggest a deliberate attempt to inject malicious code under the guise of innocuous software. Despite the potential threat, there exists an alternative explanation: the package could have been a leak from a developer or a third party working with the company, intended for transmitting camera images to a workstation.

The connection of SqzrFramework480 to the Chinese firm Bozhon Precision Industry Technology is hinted at by the use of the company’s logo as the package icon. The package was uploaded by a NuGet user account named “zhaoyushun1999.” As of now, the SqzrFramework480 package has been removed from the repository for violating the Terms of Use.

ReversingLabs emphasizes that such incidents highlight the complexity of supply chain threats and the necessity for a thorough analysis of libraries before their download. Open repositories like NuGet increasingly contain suspicious and malicious packages, aiming to lure developers and insert malevolent modules into their workflows.