Secure Your .NET Projects

This assembly contains a benign-sounding RabbitMQ extension surface but also a large, heavily obfuscated runtime loader that reads embedded resources/files, decrypts/transforms them and executes code in memory using native APIs and dynamic delegates. These capabilities (in-memory execution, VirtualAlloc/mprotect, OpenProcess/WriteProcessMemory, dynamic code emission) are not required for a message-bus extension and are strongly indicative of a malicious reflective loader/backdoor. Treat this package as highly suspicious: do not use it in production, remove from trusted dependency lists, and perform a forensic analysis to extract and analyze decrypted payloads and any network indicators.

This code contains a highly obfuscated runtime loader that decrypts embedded resources and injects/executes them into the host process using native memory APIs, /proc/self/mem, Marshal pointer writes, dynamic method emission, and delegate injection. It also contains anti-debug and integrity checks. These are strong indicators of a malicious in-memory loader/backdoor or reflective loader intended for stealthy code execution. I recommend treating this package as malicious and not using it; remove and investigate any systems that have this code or package installed. Further analysis of the embedded resources would be required to determine the final payload behavior.

This assembly contains highly suspicious and likely malicious behavior. Besides normal MVC types, it embeds an obfuscated native/payload loader that reads encrypted resources, decrypts them, allocates executable memory, writes code, patches method pointers and invokes delegates — effectively performing in-memory code injection and runtime patching. Such capabilities are characteristic of a loader/backdoor or self-extracting malicious implant. Do not use this package; treat it as malicious and remove from supply chain.

This component implements a remote code injection mechanism: it writes a payload string into another process, installs a Windows hook into a target thread and triggers that hook via a custom registered window message; the hook reconstructs the string and performs Assembly.LoadFile + reflection-based MethodInfo.Invoke. The pattern is classic process injection / remote code execution. Without strict controls this is high-risk and can be used for malicious purposes (arbitrary code execution in other processes). If you did not expect injector functionality, do not use this package. If legitimate, require strong policy/authorization and restrict usage to trusted contexts.

This assembly contains multiple strong indicators of malicious or at least potentially unwanted behavior: obfuscation, automatic runtime unpacking (embedded encrypted resources decrypted with a bundled key), and direct process memory manipulation via Win32 APIs (VirtualProtect, WriteProcessMemory, ReadProcessMemory, OpenProcess, Marshal.WriteInt32). These behaviors are typical of in-memory loaders, code injectors, and packers used by malware. Treat this package as unsafe: do not run it in production or on trusted hosts; analyze in an isolated sandbox if further investigation is required.

This file mixes normal WPF UI code with a strongly obfuscated loader/unpacker that reads embedded data, decrypts it, allocates executable memory, places payload bytes into memory, potentially patches module resolution and invokes native code via delegates. Those behaviors are consistent with an in-memory loader/backdoor or packer and represent a significant supply-chain/malicious risk. If this package is intended only as a UI library, the loader code is highly suspicious and should be considered malicious or at least untrusted until its purpose is validated by its authors or a full forensic analysis of the unpacked payload is completed.

This file contains two distinct parts: (A) a small ASP.NET UI control (ImgAnnotations) which appears benign, and (B) a large, heavily obfuscated runtime/loader module that performs resource decryption, integrity checks, and low-level native operations (VirtualAlloc, OpenProcess, WriteProcessMemory, VirtualProtect, GetProcAddress) along with dynamic delegate creation. The latter is characteristic of a loader/injector capable of decrypting and injecting executable payloads into memory or other processes. This is highly suspicious and consistent with malicious behavior (runtime code injection, in-memory execution). Do not trust or use this package without a complete provenance/trust review. If encountered in a dependency, treat it as compromised; remove and investigate build/release chain.

This assembly contains highly obfuscated code that reads and decrypts embedded data, allocates executable memory, writes raw bytes into process memory, patches runtime structures and executes code dynamically. Those are strong indicators of a runtime loader/backdoor or packer — behavior inconsistent with a normal UI control library. Treat this package as malicious or at minimum extremely high-risk. Do not run in production; perform full analysis in a safe sandbox and obtain unobfuscated source or vendor confirmation.

This file includes an obfuscated runtime loader capable of reading embedded/encrypted resources, decrypting them and injecting/executing code in the host process by allocating memory, writing to /proc/self/mem (Linux), using VirtualAlloc/WriteProcessMemory/VirtualProtect (Windows), and patching CLR/JIT function pointers. Those behaviors are strongly indicative of a malicious loader/backdoor or at minimum a protected native payload that executes arbitrary code in-process. This is not appropriate for a UI component package and represents a serious supply-chain risk. Treat this package as malicious/untrusted and remove or quarantine it until further manual reverse-engineering confirms benign intent.

This file mixes benign-looking licensing classes with a heavily obfuscated runtime loader/anti-tamper component that performs in-memory decryption, allocates executable memory, patches function pointers, and can perform process memory writes. Those capabilities are high-risk: they enable execution of arbitrary native code in-process (and potentially in other processes) and are consistent with loaders, shellcode injectors, or strong anti-analysis protectors. Even if intended for legitimate licensing/anti-piracy protection, the techniques used are commonly abused in supply-chain attacks and malware. I recommend treating this package as high risk: audit the unobfuscated runtime payload (resources), verify provenance, and avoid using it in sensitive environments until the embedded payload and the exact runtime behavior are fully understood.

This assembly contains heavy obfuscation and a runtime loader/packer component that decodes embedded resources, dynamically reconstructs delegates/methods, and calls native OS APIs for memory allocation and process memory writes. Those capabilities (dynamic code emission + VirtualAlloc/WriteProcessMemory/OpenProcess + libclrjit interactions) are characteristic of malware loaders, in-memory code injection, or backdoors. Combined with networking and system-information collection, this module is high risk and should be treated as malicious or at least strongly suspicious. Do not use in production; further dynamic analysis in an isolated sandbox and full binary/resource extraction is recommended to confirm payloads.

Report 2 provides a stronger, more actionable assessment of malicious-capable characteristics within the code. It correctly identifies anti-tamper mechanics, heavy obfuscation, dynamic in-memory code loading, and extensive unmanaged interop as high-risk indicators. The improved conclusion reinforces the need to treat this component as a high-security risk and to excise or replace it from any production supply chain unless a rigorous, transparent, and auditable provenance is established.

The fragment exhibits high-risk characteristics consistent with loader/backdoor behavior: dynamic, resource-based assembly loading; runtime payload decoding/decompression; and anti-analysis checks designed to evade scrutiny. While components could support legitimate plugin architectures, the pervasive obfuscation and runtime loading surfaces create a strong likelihood of covert code execution or payload deployment. Treat as elevated supply-chain risk and require thorough code review, provenance verification, and removal or hardening of runtime-loading hooks before use in production.

This assembly is strongly obfuscated and includes a runtime loader that decrypts embedded blobs and performs low-level native actions: memory allocation, memory protection changes, writing to process memory, resolving and replacing runtime pointers, and invoking code in-place. Those behaviors are characteristic of a loader/packer or in-memory code loader/backdoor and are not expected in a simple image barcode WPF control. I consider this package malicious or at least extremely high-risk for supply-chain compromise. Do not use this package in production; treat it as compromised, isolate analysis in a sandbox, and remove from the dependency chain.

NuGet package (author YetiCorp) impersonating Solana tooling; listed among the 14 malicious packages in ReversingLabs' investigation and associated with wallet-stealing behavior.

The code fragment demonstrates patterns commonly associated with in-memory payload loading and execution: embedding resources, decrypting/transforming data, and employing dynamic IL generation with reflection to invoke code. While not irrefutably malicious from this fragment alone, the design is high-risk for supply-chain scenarios and should be treated as a potential loader/backdoor candidate. Recommend thorough deobfuscation, static/dynamic malware scanning, build-signing verification, and provenance validation before integrating into any open-source package.

This assembly embeds a highly-obfuscated loader/unpacker that decrypts embedded resources and performs in-memory code injection (allocating executable memory, writing machine code, patching CLR/runtime pointers and invoking patched methods). These are high-risk behaviors suitable for malware, loaders, or covert runtime payload execution. If this package is used in production or distributed via package managers, treat it as malicious/untrusted until the decrypted payload and intent are validated in a secure sandbox. The visible WPF controls are likely innocuous UI wrappers but are bundled with a dangerous runtime component. Recommended actions: block/use in isolated environment, perform dynamic analysis in a controlled sandbox to inspect the decrypted payload, and prefer replacing with a known-good non-obfuscated library.

On assembly load the <Module> static constructor launches PowerShell to run a command that: 1) builds a temp .bat path via [System.IO.Path]::GetTempFileName() + ‘.bat’, 2) downloads a remote file from https://raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt using Invoke-WebRequest, 3) writes it to the temp .bat, and 4) invokes Start-Process on that .bat with WindowStyle Hidden. This silent, hardcoded download-and-execute chain gives an attacker arbitrary remote code execution the moment the library is loaded—classic supply-chain/backdoor behavior. Remove the package and any hosts that loaded it.

Overall, the code exhibits high-risk characteristics typical of loader-like or protected components with covert payload handling, persistent startup, and keylogging capabilities. While it may contain legitimate UI utilities, the embedded decryption payload flow, heavy obfuscation, and low-level native interop warrant rigorous provenance checks, signed payload verification, and potential removal or isolation of the loader components if not strictly required for UI functionality. Recommend treating as suspicious in public distribution and performing a full upstream audit before integration.

This assembly contains a highly obfuscated runtime unpacker/loader that reads embedded resources, performs cryptographic verification and decryption, allocates and writes executable memory, manipulates process/module memory and invokes code at runtime. Those behaviors are typical of packers/loaders and present a serious supply-chain and runtime-execution risk. Treat this package as malicious/untrusted until proven otherwise: do not include or run it in production. If you maintain the project, isolate and remove the unpacker/loader and audit the repository and build pipeline. If this was unexpected in a UI control package, assume compromise of the package or developer keys.

This fragment exhibits high-risk patterns typical of loaders or backdoors: pervasive obfuscation, runtime payload loading, resource-based decryption, and extensive dynamic/native interop. While some components could support legitimate license checks or platform abstraction, the combination creates significant supply-chain/security risk. Do not rely on or publish this code in public dependencies without a full, isolated security audit, a teardown of embedded payloads, and a transition to transparent, well-scoped implementations.

The majority of the code is legitimate UI/modal functionality. However, there is an explicit malicious/disruptive snippet that targets users based on navigator.language and host TLDs: it disables page interaction and injects/plays a looping audio file from a hardcoded external URL after a 3-day delay. This is a politically motivated, supply-chain style malicious behavior and should be considered malicious. Remove or patch this code and treat the package as compromised.

The DLL’s AssemblyDescription attribute is abused to embed spammy, scam-promoting text advertising a “Cash App hack” and directing users to phishing URLs such as https[:]//cash-app[.]live/. No legitimate functionality or executable logic is provided beyond an empty class, indicating the package exists solely to facilitate social-engineering and fraudulent activity.

This assembly contains a normal-looking Baidu SMS API surface but also embeds a large, strongly obfuscated runtime loader/unpacker (class z8ydjxRgvBeZk2hCIku). The loader reads encrypted embedded resources, decrypts them with hardcoded keys, allocates executable memory, writes/patches runtime method pointers, and can call native APIs like VirtualAlloc/VirtualProtect/OpenProcess/WriteProcessMemory. These behaviors are typical of a packed/obfuscated loader that can execute arbitrary payloads inside the host process and even inject into other processes. This is unexpected and dangerous for a dependency that should only provide an SMS client. I assess high risk: do not trust or use this package in production without a complete provenance and security audit; treat it as possible malicious or at least extremely suspicious code.

Malicious code in binance.csharp (NuGet)

This assembly contains a benign-sounding RabbitMQ extension surface but also a large, heavily obfuscated runtime loader that reads embedded resources/files, decrypts/transforms them and executes code in memory using native APIs and dynamic delegates. These capabilities (in-memory execution, VirtualAlloc/mprotect, OpenProcess/WriteProcessMemory, dynamic code emission) are not required for a message-bus extension and are strongly indicative of a malicious reflective loader/backdoor. Treat this package as highly suspicious: do not use it in production, remove from trusted dependency lists, and perform a forensic analysis to extract and analyze decrypted payloads and any network indicators.

This code contains a highly obfuscated runtime loader that decrypts embedded resources and injects/executes them into the host process using native memory APIs, /proc/self/mem, Marshal pointer writes, dynamic method emission, and delegate injection. It also contains anti-debug and integrity checks. These are strong indicators of a malicious in-memory loader/backdoor or reflective loader intended for stealthy code execution. I recommend treating this package as malicious and not using it; remove and investigate any systems that have this code or package installed. Further analysis of the embedded resources would be required to determine the final payload behavior.

This assembly contains highly suspicious and likely malicious behavior. Besides normal MVC types, it embeds an obfuscated native/payload loader that reads encrypted resources, decrypts them, allocates executable memory, writes code, patches method pointers and invokes delegates — effectively performing in-memory code injection and runtime patching. Such capabilities are characteristic of a loader/backdoor or self-extracting malicious implant. Do not use this package; treat it as malicious and remove from supply chain.

This component implements a remote code injection mechanism: it writes a payload string into another process, installs a Windows hook into a target thread and triggers that hook via a custom registered window message; the hook reconstructs the string and performs Assembly.LoadFile + reflection-based MethodInfo.Invoke. The pattern is classic process injection / remote code execution. Without strict controls this is high-risk and can be used for malicious purposes (arbitrary code execution in other processes). If you did not expect injector functionality, do not use this package. If legitimate, require strong policy/authorization and restrict usage to trusted contexts.

This assembly contains multiple strong indicators of malicious or at least potentially unwanted behavior: obfuscation, automatic runtime unpacking (embedded encrypted resources decrypted with a bundled key), and direct process memory manipulation via Win32 APIs (VirtualProtect, WriteProcessMemory, ReadProcessMemory, OpenProcess, Marshal.WriteInt32). These behaviors are typical of in-memory loaders, code injectors, and packers used by malware. Treat this package as unsafe: do not run it in production or on trusted hosts; analyze in an isolated sandbox if further investigation is required.

This file mixes normal WPF UI code with a strongly obfuscated loader/unpacker that reads embedded data, decrypts it, allocates executable memory, places payload bytes into memory, potentially patches module resolution and invokes native code via delegates. Those behaviors are consistent with an in-memory loader/backdoor or packer and represent a significant supply-chain/malicious risk. If this package is intended only as a UI library, the loader code is highly suspicious and should be considered malicious or at least untrusted until its purpose is validated by its authors or a full forensic analysis of the unpacked payload is completed.

This file contains two distinct parts: (A) a small ASP.NET UI control (ImgAnnotations) which appears benign, and (B) a large, heavily obfuscated runtime/loader module that performs resource decryption, integrity checks, and low-level native operations (VirtualAlloc, OpenProcess, WriteProcessMemory, VirtualProtect, GetProcAddress) along with dynamic delegate creation. The latter is characteristic of a loader/injector capable of decrypting and injecting executable payloads into memory or other processes. This is highly suspicious and consistent with malicious behavior (runtime code injection, in-memory execution). Do not trust or use this package without a complete provenance/trust review. If encountered in a dependency, treat it as compromised; remove and investigate build/release chain.

This assembly contains highly obfuscated code that reads and decrypts embedded data, allocates executable memory, writes raw bytes into process memory, patches runtime structures and executes code dynamically. Those are strong indicators of a runtime loader/backdoor or packer — behavior inconsistent with a normal UI control library. Treat this package as malicious or at minimum extremely high-risk. Do not run in production; perform full analysis in a safe sandbox and obtain unobfuscated source or vendor confirmation.

This file includes an obfuscated runtime loader capable of reading embedded/encrypted resources, decrypting them and injecting/executing code in the host process by allocating memory, writing to /proc/self/mem (Linux), using VirtualAlloc/WriteProcessMemory/VirtualProtect (Windows), and patching CLR/JIT function pointers. Those behaviors are strongly indicative of a malicious loader/backdoor or at minimum a protected native payload that executes arbitrary code in-process. This is not appropriate for a UI component package and represents a serious supply-chain risk. Treat this package as malicious/untrusted and remove or quarantine it until further manual reverse-engineering confirms benign intent.

This file mixes benign-looking licensing classes with a heavily obfuscated runtime loader/anti-tamper component that performs in-memory decryption, allocates executable memory, patches function pointers, and can perform process memory writes. Those capabilities are high-risk: they enable execution of arbitrary native code in-process (and potentially in other processes) and are consistent with loaders, shellcode injectors, or strong anti-analysis protectors. Even if intended for legitimate licensing/anti-piracy protection, the techniques used are commonly abused in supply-chain attacks and malware. I recommend treating this package as high risk: audit the unobfuscated runtime payload (resources), verify provenance, and avoid using it in sensitive environments until the embedded payload and the exact runtime behavior are fully understood.

This assembly contains heavy obfuscation and a runtime loader/packer component that decodes embedded resources, dynamically reconstructs delegates/methods, and calls native OS APIs for memory allocation and process memory writes. Those capabilities (dynamic code emission + VirtualAlloc/WriteProcessMemory/OpenProcess + libclrjit interactions) are characteristic of malware loaders, in-memory code injection, or backdoors. Combined with networking and system-information collection, this module is high risk and should be treated as malicious or at least strongly suspicious. Do not use in production; further dynamic analysis in an isolated sandbox and full binary/resource extraction is recommended to confirm payloads.

Report 2 provides a stronger, more actionable assessment of malicious-capable characteristics within the code. It correctly identifies anti-tamper mechanics, heavy obfuscation, dynamic in-memory code loading, and extensive unmanaged interop as high-risk indicators. The improved conclusion reinforces the need to treat this component as a high-security risk and to excise or replace it from any production supply chain unless a rigorous, transparent, and auditable provenance is established.

The fragment exhibits high-risk characteristics consistent with loader/backdoor behavior: dynamic, resource-based assembly loading; runtime payload decoding/decompression; and anti-analysis checks designed to evade scrutiny. While components could support legitimate plugin architectures, the pervasive obfuscation and runtime loading surfaces create a strong likelihood of covert code execution or payload deployment. Treat as elevated supply-chain risk and require thorough code review, provenance verification, and removal or hardening of runtime-loading hooks before use in production.

This assembly is strongly obfuscated and includes a runtime loader that decrypts embedded blobs and performs low-level native actions: memory allocation, memory protection changes, writing to process memory, resolving and replacing runtime pointers, and invoking code in-place. Those behaviors are characteristic of a loader/packer or in-memory code loader/backdoor and are not expected in a simple image barcode WPF control. I consider this package malicious or at least extremely high-risk for supply-chain compromise. Do not use this package in production; treat it as compromised, isolate analysis in a sandbox, and remove from the dependency chain.

NuGet package (author YetiCorp) impersonating Solana tooling; listed among the 14 malicious packages in ReversingLabs' investigation and associated with wallet-stealing behavior.

The code fragment demonstrates patterns commonly associated with in-memory payload loading and execution: embedding resources, decrypting/transforming data, and employing dynamic IL generation with reflection to invoke code. While not irrefutably malicious from this fragment alone, the design is high-risk for supply-chain scenarios and should be treated as a potential loader/backdoor candidate. Recommend thorough deobfuscation, static/dynamic malware scanning, build-signing verification, and provenance validation before integrating into any open-source package.

This assembly embeds a highly-obfuscated loader/unpacker that decrypts embedded resources and performs in-memory code injection (allocating executable memory, writing machine code, patching CLR/runtime pointers and invoking patched methods). These are high-risk behaviors suitable for malware, loaders, or covert runtime payload execution. If this package is used in production or distributed via package managers, treat it as malicious/untrusted until the decrypted payload and intent are validated in a secure sandbox. The visible WPF controls are likely innocuous UI wrappers but are bundled with a dangerous runtime component. Recommended actions: block/use in isolated environment, perform dynamic analysis in a controlled sandbox to inspect the decrypted payload, and prefer replacing with a known-good non-obfuscated library.

On assembly load the <Module> static constructor launches PowerShell to run a command that: 1) builds a temp .bat path via [System.IO.Path]::GetTempFileName() + ‘.bat’, 2) downloads a remote file from https://raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt using Invoke-WebRequest, 3) writes it to the temp .bat, and 4) invokes Start-Process on that .bat with WindowStyle Hidden. This silent, hardcoded download-and-execute chain gives an attacker arbitrary remote code execution the moment the library is loaded—classic supply-chain/backdoor behavior. Remove the package and any hosts that loaded it.

Overall, the code exhibits high-risk characteristics typical of loader-like or protected components with covert payload handling, persistent startup, and keylogging capabilities. While it may contain legitimate UI utilities, the embedded decryption payload flow, heavy obfuscation, and low-level native interop warrant rigorous provenance checks, signed payload verification, and potential removal or isolation of the loader components if not strictly required for UI functionality. Recommend treating as suspicious in public distribution and performing a full upstream audit before integration.

This assembly contains a highly obfuscated runtime unpacker/loader that reads embedded resources, performs cryptographic verification and decryption, allocates and writes executable memory, manipulates process/module memory and invokes code at runtime. Those behaviors are typical of packers/loaders and present a serious supply-chain and runtime-execution risk. Treat this package as malicious/untrusted until proven otherwise: do not include or run it in production. If you maintain the project, isolate and remove the unpacker/loader and audit the repository and build pipeline. If this was unexpected in a UI control package, assume compromise of the package or developer keys.

This fragment exhibits high-risk patterns typical of loaders or backdoors: pervasive obfuscation, runtime payload loading, resource-based decryption, and extensive dynamic/native interop. While some components could support legitimate license checks or platform abstraction, the combination creates significant supply-chain/security risk. Do not rely on or publish this code in public dependencies without a full, isolated security audit, a teardown of embedded payloads, and a transition to transparent, well-scoped implementations.

The majority of the code is legitimate UI/modal functionality. However, there is an explicit malicious/disruptive snippet that targets users based on navigator.language and host TLDs: it disables page interaction and injects/plays a looping audio file from a hardcoded external URL after a 3-day delay. This is a politically motivated, supply-chain style malicious behavior and should be considered malicious. Remove or patch this code and treat the package as compromised.

The DLL’s AssemblyDescription attribute is abused to embed spammy, scam-promoting text advertising a “Cash App hack” and directing users to phishing URLs such as https[:]//cash-app[.]live/. No legitimate functionality or executable logic is provided beyond an empty class, indicating the package exists solely to facilitate social-engineering and fraudulent activity.

This assembly contains a normal-looking Baidu SMS API surface but also embeds a large, strongly obfuscated runtime loader/unpacker (class z8ydjxRgvBeZk2hCIku). The loader reads encrypted embedded resources, decrypts them with hardcoded keys, allocates executable memory, writes/patches runtime method pointers, and can call native APIs like VirtualAlloc/VirtualProtect/OpenProcess/WriteProcessMemory. These behaviors are typical of a packed/obfuscated loader that can execute arbitrary payloads inside the host process and even inject into other processes. This is unexpected and dangerous for a dependency that should only provide an SMS client. I assess high risk: do not trust or use this package in production without a complete provenance and security audit; treat it as possible malicious or at least extremely suspicious code.

Malicious code in binance.csharp (NuGet)