Cybersecurity firm ReversingLabs has flagged a suspicious package on the open-source package manager NuGet. The package, named SqzrFramework480, appears to be targeting developers working with technology associated with BOZHON Precision Industry Technology., Ltd., a China-based firm specializing in industrial- and digital equipment manufacturing.

Initially posted on NuGet in late January 2024, the SqzrFramework480 package came under scrutiny due to its unusual behavior, prompting further investigation by ReversingLabs' research team. The package, a .NET library purportedly designed for calibrating robotic movement settings, managing GUIs, initializing machine vision libraries, and more, was found to exhibit behaviors typically associated with malicious files.

According to ReversingLabs analysis, the SqzrFramework480.dll contained a combination of features, including taking screenshots, sending ping packets, opening sockets, and transmitting data over them. While each functionality individually might not raise immediate suspicion, the combination of these functions may point to malicious actions. The theory is that the grabbed screenshots may be sent to a remote server via the open socket, with ping packets serving as a heartbeat check for the exfiltration server.

The package was published by a NuGet user account under the handle zhaoyushun1999. Despite efforts to gather more information about the author, ReversingLabs' research team found limited details beyond the NuGet profile, which only listed the SqzrFramework480 package.

Furthermore, the zhaoyushun1999 gitee account linked in the package description had no publicly viewable projects at the time of the investigation.

ReversingLabs attempted to reach out to BOZHON Precision Industry Technology multiple times to ascertain any potential connection between the NuGet account and the company or its employees. However, as of yet, there has been no response from BOZHON.

“Since there is no additional information to refine our analysis further, we can’t say with confidence that the SqzrFramework480 is malicious. Our explanation of the features we observed (e.g. that it was part of an espionage campaign aimed at Bozhon developers and customers) is just speculation. The RL research team has not had confirmation from the company one way or another,” the team noted.

“The bigger issue, however, is easier to grasp. Namely, that open source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines. The sheer growth in such supply chain threats — which affect both open source and proprietary software ecosystems — puts the onus on development organizations to apply both caution and scrutiny to any third party code they wish to use, while also continuing to scrutinize internally developed code for potential supply chain risks.”