Fake libraries on nuget
Investigation of a supply chain attack on nuget
I was casually browsing NuGet’s most downloaded packages to stay in the loop when I noticed a pretty weird thing:
#2 seemed to be a client for a Chinese payment system Alipay which isn’t something that popular:
I thought that it could be a CI gone mad or something like that, and opened the package page: https://www.nuget.org/packages/AlipaySDK.Net/
The library was uploaded just 4 days ago and has 600k daily downloads, which is 3 times more than the most popular library on NuGet, newtonsoft.json:
I went a bit further and opened the author’s page: https://www.nuget.org/profiles/ZhangZhongWei
There were 6 more packages that look like Alipay API clients, with all of them uploaded just 4 days ago and having millions of downloads:
This still could be some kind of attempt to self-promote a legitimate library by inflating the number of downloads, so NuGet would show these libraries higher up on the search result page. I went ahead, downloaded the nupkg, and decompiled the library with DotPeek. There’s AlipaySDK.Factory class that pretends to be an Alipay API client, but actually sends the data to an unencrypted HTTP endpoint at IP in Hong Kong:
The IP doesn’t belong to Alipay, and it’s just some home server:
Dec 12 Update: nuget deleted the packages and banned the author.