China Spying for Developers via Nuget Package Backdoor

Specialists from ReversingLabs have discovered a suspicious package in the NuGet package manager allegedly targeting developers using tools from the Chinese company Bozhon Precision Industry Technology, known for industrial and digital equipment.

A package named sqzrframework480 was initially released on January 24, 2024, and has been downloaded 2999 times. Within the package, the SQZRFRAMEWORK480.DLL library was identified, containing functions for capturing screenshots, sending them to a remote IP address, and continuously checking with the IP address every 30 seconds.

ReversingLabs considers these actions individually as malicious, but when combined, they raise suspicion and suggest a potential industrial espionage attempt, particularly in systems equipped with cameras, machine vision, and robotic arms.

The combination of these functions within a single package violates safety protocols and could indicate a deliberate insertion of harmful code disguised as harmless software. However, there is a possibility that the package could be a leaked tool from a developer or third party working with the company, intended for transferring images from a camera to a workstation.

The association of SQZRFRAMEWORK480 with the Chinese company Bozhon Precision Industry Technology is evident in the use of the company’s logo as the package icon. The package was downloaded using the NuGet user account “zhaoyushun1999”.

Currently, the SQZRFRAMEWORK480 package has been removed from the repository with a notice of misuse violation.

ReversingLabs stresses that such incidents highlight the complexity of threats in supply chains and emphasize the importance of thoroughly examining libraries prior to downloading. Open repositories like NuGet are increasingly prone to hosting suspicious and malicious packages aimed at luring developers and introducing harmful modules into their development processes.

/Reports, release notes, official announcements.