ReversingLabs has been actively tracking a malicious campaign targeting the NuGet package manager since the beginning of August, 2023. This report presents the findings of that research, which shows how malicious actors are continuously improving their techniques and responding to disruption of their campaigns.
Since the beginning of the campaign, threat actors behind this campaign refined their attacks, moving from exploiting NuGet’s MSBuild integrations to a strategy that uses simple, obfuscated downloaders that are inserted into legitimate PE binary files using Intermediary Language (IL) weaving, a .NET programming technique for modifying an application’s code after compilation.
Discussion
In October 2023, the RL research team reported on a malicious campaign targeting the NuGet repository, a popular open source package manager for .NET code. The campaign has been active since the early August 2023 and included more than 700 malicious packages.
The threat actors behind this campaign have since evolved their methods to achieve execution of their malicious code. Attacks started with simple initialization and post-installation Powershell scripts in the affected packages which contained malicious downloader functionality. The hundreds of malicious NuGet packages the RL research team detected weren’t hard to spot — they contained links within their install scripts (unusual) and, upon closer inspection, contained no non-malicious functionality. Following the installation and execution of the downloader, second stage malware was retrieved from an attacker-controlled C2 server.
In the later stages of this campaign, the threat actors moved from initialization scripts to a lesser-known technique that exploits NuGet’s MSBuild integrations feature. Malicious functionality was added to build tasks inside a *.targets file ensuring that malicious code gets executed every time the project is built. Additionally, a lot of effort was put into making malicious packages look as trustworthy as possible, by choosing suitable impersonation packages, making clever typo-squats, using icons from impersonated packages and by pumping up the package download counts.
Patching .NET binaries with malicious content
As already concluded, the threat actor behind this campaign is determined to push malware into NuGet repository and has been doing it regularly for more than the last six months. It can be concluded that this threat actor is quite skilled also: they are constantly improving their arsenal with edgy execution techniques that can be used in .NET projects.
The latest malicious packages published by this threat actor are using a technique called “IL weaving” to add malicious functionality to legitimate Portable Executable (PE) .NET binaries. In these attacks, the attacker takes a compiled .NET binary from a legitimate NuGet package and patches it in order to inject a module initializer into it.
Dotnet documentation says that module initializers are “executed at, or sometime before, first access to any static field or first invocation of any method defined in the module.” Simply said, they are the first thing that is executed when a .NET module is loaded. They can be added to the source code and created at the compile time, but a much more interesting way to add them is by patching already compiled .NET binaries using Intermediate Language (IL) weaving. Here, the original binary is first decompiled, then the desired functionality is added (“weaved”) to it. Finally it is compiled back to an executable file. Libraries like Mono.Cecil can be used to handle MSIL (Microsoft Intermediate Language) or CIL compiling and decompiling. There are open source tools like Fody that encapsulate MSIL construction and simplify IL weaving.
Figure 1: IL weaving
Since the end of October, NuGet packages containing three types of patched, malicious .NET DLL libraries have been observed. All of them implement the same downloader functionality, and download second stage malware seen in the previous phases of this campaign: the obfuscated SeroXen RAT.
Using binary patching, threat actors tried to make their malware downloader packages harder to detect. Analyzing compiled binaries is a bit harder task than analyzing PowerShell scripts, which contain commands in plaintext format that are easier to scan. What also made detection harder is the fact that all of the patched binaries were DLL files, which aren’t executed on their own or by default. Rather, DLLs are libraries that are called and executed under specific circumstances, which complicates dynamic analysis. But there are tools like ReversingLabs Spectra Assure that are capable of extracting behavior indicators during static analysis, making it possible to detect the presence of suspicious functionality inside compiled binary files.
These aren’t the Gunas you’re looking for: homoglyphs in action
The threat actors copied Guna.UI2.WinForms, a popular open source package that is used for creating desktop UIs. Using IL weaving, the threat actor modified the code to inject a module initializer and named the modified package Gսոa.UI3.Wіnfօrms, an obvious effort to “typo squat” on the name of the legitimate package. They then published it to the NuGet repository.
What’s interesting here is that Guna is actually a reserved prefix name on the NuGet repository. That means that only the authors that own and manage the Guna prefix can publish packages starting with that specific name — a security feature of sorts. So while it looks like a high-level NuGet account compromise, it's actually not.
Figure 2: Package with a reserved prefix
As it turns out, this “Guna” isn’t what it seems. That’s because the threat actor exploited a NuGet feature — its support for homoglyphs — to create a package that convincingly mimics those that use the reserved “Guna” prefix.
Homoglyphs are unique characters that look identical, while having totally different features (sounds) and digital identifiers. So, for example, the latin lower case “u” and the Armenian character “ս” (“seh”) are visually identical. However, each has a unique sound associated with it and a unique unicode value — \u0075 for the latin “u” and \u057D for the Armenian “seh.” While humans may not be able to tell them apart when visually scanning text, computers see and treat them as completely different characters.
Looking more closely at the name of the imposter NuGet package Guna.UI3.WinForms package, RL found four of these homoglyph characters mimicking their latinate doppelgangers: ս(\u057D), ո(\u0578), і(\u0456) and օ(\u0585).
Using RL Spectra Assure platform to analyze the two packages revealed important differences between the legitimate Guna.UI2.WinForms and the imposter Guna.UI3.WinForms packages. Specifically, it revealed that two .NET binaries were tampered with to include a module initializer.
Figure 3: Spectra assure Diff
When RL researchers compared the two .NET binaries using third-party tools that can decompile and diff the code to show us the differences between them, our research team noticed that the two packages have the same contents, with the biggest difference being the module initializer inside the modified, malicious package.
Figure 4: Package diff & obfuscated Initialize() method.
Green = new (malicious) code; purple = modified code; red = removed code
The strings inside the module initializer (Figure 4) are obfuscated by a simple method. Adjacent to every character the threat actor tries to “hide”, they’ve placed a dummy string (in this case {#}{$}{&}{(}{_}{#}{%}{^}{^}{#}{!} that is removed at runtime by searching for the dummy string and removing it. It’s very easy to get the deobfuscated code and see what this DLL does.
Figure 5: Deobfuscated code: Initialize() function
Figure 5 shows the inner workings of the first stage malware, a simple downloader that fetches a batch script from a C2 server and executes it, triggering the second stage of the infection process that ends with the installation of the SeroXen RAT.
Detection: YARA won’t do it
Since the code for the module initializer is located inside the pseudo-class <Module>, it can’t be detected by YARA out of the box, because it’s skipping parsing that class.
RL Spectra Assure provide a behavioral indicator for it. Module initializers are not purely used by malware. They are used for many legitimate reasons such as setting up code before the main execution starts (in other words, initializing a module) and by obfuscators — tools used to protect the intellectual property of developers.
However, RL can combine this indicator with others in order to create a good threat hunting heuristics for identifying suspicious packages.
Figure 6: Indicators
Evolve your AppSec to stay up to speed with threats
Threat actors are constantly evolving the methods and tactics they use to compromise and infect their victims with malicious code that is used to extract sensitive data or provide attackers with control over IT assets. Any methods that give them an edge over defenders and allow their actions to remain undetected have a high value and are likely to be adopted by malicious actors. That’s why defenders have to evolve alongside threat actors in order to catch any possible threats on time and stay safe.
And that’s what happened in this latest campaign, which saw attackers using a variety of new — or rarely seen — techniques to escape detection and increase the changes of their malicious code being downloaded and used. Those techniques include binary patching of DLLs via IL weaving to make malicious downloader code harder to detect. They also include the attackers’ use of “homoglyphs” in typosquatting attacks. Those are glyphs or characters with an identical visual appearance to a common character (like “u” or “o”), but a different logical representation. To date, RL researchers have identified approximately 60 packages and 290 package versions that are part of this same campaign abusing module initializers. Some of the packages can be seen in the IOCs list below.
All the identified packages were reported to NuGet administrators and have since been removed from the NuGet platform.
This latest campaign highlights new ways in which malicious actors are scheming to fool developers as well as security teams into downloading and using malicious or tampered with packages from popular open source package managers like NuGet. With scores of packages and hundreds of malicious versions, the latest campaign highlights the need for development organizations to up their game and stay abreast of a fast evolving software supply chain threat landscape.
Indicators of Compromise (IOCs)
Indicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IOCs play a crucial role in cybersecurity investigations and cyber incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents.
The following IOCs were collected as part of ReversingLabs investigation of this software supply chain campaign.
NuGet packages:
| package_name | version | SHA1 |
| Gսոa.UI3.Wіnfօrms | 2.0.4.8 | 63f76e3f51dd053d04dcd9584f0c1cc484b7a747 |
| AlgoTrading | 3.2.56 | 99f263f38a7af5330ba5a2b6885c9f38604c7080 |
| AlgoTrading | 3.2.57 | 9e385ec2739e08b3b0e48ca3c1cfdef41772cfce |
| AlgoTrading.Net | 5.0.164 | cc5f779e027528cc7433393aeee220a82bd206b3 |
| Altcoins | 1.45.24 | bb4b99f5aed7c5a73e32a36c38139ea936967d3c |
| Altcoins | 1.45.25 | fde010d1035f50912096a07e684dd1761e5c618b |
| Altcoins.Library | 2.12.5 | 10ead6e0c6f537393c73bc8ef4be20dc296cc55b |
| AnimatedGifWpf | 2.1.0 | dfec8f1e00c9ca220d222eb78e46693907229995 |
| AnimatedGifWpf | 2.0.2 | 8b294d1a1677a77ddb55924f960da42dc94de572 |
| AnimatedGifWpf | 2.0.8 | b54bdcf9835007dd73e58c46026c64232ccbcd7b |
| AnimatedGifWpf | 2.0.3 | 57ea56b45cbd59872ee459a02ef154b38fb19ec8 |
| AnimatedGifWpf | 2.0.9 | 570937f0b32f52254132f50c687d011a9fd3d15b |
| AnimatedGifWpf | 2.0.5 | 5a72ecc3a14c1cb7040518e3ed6ff2025b356c3d |
| AnimatedGifWpf | 2.1.1 | e3a8f5ff757a5658ba58a614af7ac884575cfc96 |
| AvalonEdit.Net | 8.3.0.91 | 3ce17b59fee72291e040aad556f019e5873c104a |
| AvalonEdit.Net | 8.3.0.93 | f38c121515b194859672522962f69a240459f55f |
| AvalonEdit.Net | 8.4.0.96 | b823730bd562cceb9ce589372963bc320364e05b |
| AvalonEdit.Net | 8.3.0.92 | c9cde77c8ee75d7aa503b0b8048eebd135e71cdc |
| AvalonEdit.Net | 6.3.0.90 | 524aac1318447588c018c5540d80aff3b9b01e17 |
| AvalonEdit.Net | 8.3.0.90 | ee897b3b266af9f9a0a77ba10dfd72326c8be95a |
| AvalonEdit.Net | 8.3.0.94 | 0b14dc1ae59a29e7053818ffe04eeee3f055357d |
| AvalonEdit.Net | 8.4.0.95 | f49b5072036a58949244ac1f13dccdb9582012cf |
| Binance.Libary | 7.0.3 | 2a8b52ae48ce566c680b874ded3f99fe23b35546 |
| Binance.Libary | 3.8.8 | df43e8caefef054e3428307d9c39fbecafb09993 |
| Binance.Libary | 2.7.4 | 4e8cfcd1ab54e0c4c4e4504927716f59e47e3a76 |
| Binance.Libary | 1.6.0 | 445ec2baaf4ee49d028c96f42288118d4a166c41 |
| Binance.Libary | 6.5.3 | 7574393406ffdefcf3b1ee9b6f906c6ba2112268 |
| Binance.Libary | 0.8.7 | c20c8bb09a67a5919f87390a7093af7ebd27cba9 |
| Binance.Libary | 6.1.0 | e70df5fb92e03bfedd21dba8736e009470cfa302 |
| Binance.Libary | 0.2.1 | 44c225b5703034ff60307c5cf70d02dd15761276 |
| Binance.Libary | 3.3.4 | cdc76806553973df505e347518e2b2b781f02789 |
| Binance.Libary | 6.0.3 | c06de81d34c3c50a8881467b3286d3e1fc579cd7 |
| Binance.Library | 0.6.1 | d0aca9cfe4d2377a36f4e0adb182290853f34feb |
| BitcoinLib.Net | 1.5.3 | b3029ad3627ded8b0611950c1c8d07b186aecd04 |
| BitcoinLib.Net | 2.2.7 | c98bab5278cc34672704a3ad7360e414d9a1178d |
| BitcoinLib.Net | 3.4.1 | e0ace774262235c7017756fc37f4ad4ff22a18ff |
| BitcoinLib.Net | 4.2.0 | 9c45457e1ef79a753c7399b475335fe64ea684ef |
| BitcoinLib.Net | 4.4.2 | 3b65bfa66d1dca1c53cd4dc789bcc129c2629e30 |
| BitcoinLib.Net | 4.5.2 | 9dccbe6a94b6ea4e7ab79b943ee9938a583078ef |
| BitcoinLib.Net | 4.7.6 | 0b2a6d554467c4e95ecb064a04805438da865b44 |
| BitcoinLib.Net | 7.0.6 | 3fe401ae620c06396becdb11e273575ba2513fb8 |
| BitcoinLib.Net | 7.7.6 | 900f8a431912e63cd5109df3b7d84c511f525e6a |
| BitcoinLib.Net | 8.6.8 | 583137cac2230cde79a3081d25a33d8bcab5e165 |
| Bunifu | 6.3.0 | a110f150400499a571950cd76e3eb8b2deb8df18 |
| Bunifu | 6.3.1 | 4c88f65520438a720f26e24292a656b8b6f668a5 |
| Bunifu.GUI | 6.3.0 | 155e755f0227be2bd2a6525d49ca8090c82a8f44 |
| C1.Wіn | 6.0.20232.630 | 29a41ca3d8190f8b7e56fcca0d3a6955d651929b |
| C1.Wіn | 6.0.20232.629 | 66a556c68c75a6e1acb25b1c91e86673faf164fa |
| C1.Wіn | 6.0.20232.632 | f2c2e0e77de8c9827b3242e72d1535cebc12fa29 |
| C1.Wіn | 6.0.20232.631 | 18c9f255a11cd09e8838378a8053f4f2e250fdac |
| CaptchaCsharp | 7.0.0 | 11652c493c8d0258ab2e15ff286a019f63ee1a63 |
| CaptchaCsharp | 7.0.1 | d82c855be7b81313d32858adbbabd2f7e925970c |
| CefSharp.WinForm.Net.Core | 112.3.20 | 1d95d6c97f0f1ba256cb2dbb04f9e0bdec46a8fc |
| CefSharp.WinForm.Net.Core | 112.3.22 | 38cd572e4c62a2fc14e426aa0c4660c337e33254 |
| CefSharp.WinForm.Net.Core | 112.3.30 | 1017cb51833b46ec8506c85eb573094ca57fad78 |
| CefSharp.WinForm.Net.Core | 112.3.28 | 248bcd4389562069a8fcda01694553cb34b3adc2 |
| CefSharp.WinForm.Net.Core | 112.3.23 | 3f1bf740a48fdad1532ead360978477a37c7a216 |
| CefSharp.WinForm.Net.Core | 112.3.31 | 0818bb6437e9dd359f6abf58707063971c47f1a2 |
| CefSharp.WinForm.Net.Core | 112.3.21 | 857e0ef11089d85795a1c63e0190fff308b9f314 |
| CefSharp.WinForm.Net.Core | 112.3.29 | 30e548a811a6f70795e54c4251e5b3f481ec1118 |
| CitizenFX | 2.54.7 | eee0ed760f36111062b854f6bfc686ce0a532740 |
| CitizenFX | 2.54.8 | 3aa85c7e1dbecf537644d92af137cb37d4843b98 |
| CitizenFX | 2.54.9 | 010b355a64ca91c272e3b41561782a79d914192d |
| Clipboard.net | 1.45.69 | da2c4108e667e7836daefba86646929e77d5eed0 |
| Clipboard.net | 1.45.67 | fef95f5b7076c10a7d5c088af483394e7e58c15e |
| Clipboard.net | 1.45.70 | e61e27b7fa29bd1c40ee3ce764d45d0bbc3f3f7d |
| Crypto.Exchange | 6.3.5 | 2f4962682d19d781af990c93b6bb2051e63c0ab3 |
| Crypto.Exchange | 6.2.4 | feee394fe433fe4fa6f2453912c8fd457fe96ede |
| Crypto.Exchange | 6.2.1 | b76369659917efaaae9256e346aa9b14803787d2 |
| Crypto.Exchange | 6.2.2 | e63b3b32f2858f765e43b76858a6a07294599315 |
| Crypto.Exchange | 6.3.4 | f197be799dbc81f972713fd09884708e76f519b6 |
| CsvHelper.Excel.Core.Net | 8.7.0 | 6eb837369bc7f77f079ac02d0c86e0f27735f41c |
| CsvHelper.Excel.Core.Net | 0.8.2 | 9be57e9ce84b3ec28ce8ae31e394a186d7ed3561 |
| CsvHelper.Excel.Core.Net | 7.3.3 | ef71dfd77a32c31f5235e9f54a04c399a3c58ac2 |
| CsvHelper.Excel.Core.Net | 1.7.4 | 2a047b5ec60651f33b6d7309501c6e5e074f1b19 |
| CsvHelper.Excel.Core.Net | 1.4.3 | 8b62d8fef4fb86c8a9ea1bb5914b71480bfa284d |
| CsvHelper.Excel.Core.Net | 5.3.0 | 3faf3c9a4f4799c0b898ae860cbbf3f9a3a5f33b |
| CsvHelper.Excel.Core.Net | 7.6.3 | e09be8525ee2c71c683cb4b581016e9afb64df59 |
| CsvHelper.Excel.Core.Net | 0.3.5 | 6a8031e83218d48d495ee927eb77647d534a98d4 |
| CsvHelper.Excel.Core.Net | 0.1.7 | d4b00418aab7f2f405667357490f3ff8ff559d4e |
| CsvHelper.Excel.Core.Net | 8.8.7 | 41627d1cbb79b39e6383dfe316c1c86de90ebb76 |
| DiscordRPC.Net.Core | 3.45.7 | c2cfba91e6e8019cf41dff7577aa9b0dd96aea83 |
| DiscordRPC.Net.Core | 3.45.8 | 39bc0e4ee34f2c87c038e2c82d6bc052ceea4dfc |
| DiscordRPC.Net.Core | 5.4.67 | 38040b78bd2a504c3f1265ff3a4247f48b59e087 |
| DiscordRPC.Net.Core | 3.45.9 | 3b178af110e13d9c89d738f82efec6a395964d7f |
| DiscordRPC.Net.Core | 5.4.68 | d0734df35d34f3b3479789ea9441a80b19cf4cb0 |
| dnlib.net | 4.3.7 | 98a6fda6e64514e268f6d1dd72fafd3b24110cac |
| dnlib.net | 4.3.0 | 7335726a8f95c0409cbcb2ceb8930ee84d800923 |
| dnlib.net | 4.3.1 | d83dab3cb2e969aed48f0c148c27d7bd11b83cd7 |
| dnlib.net | 4.3.2 | 20b527b6fcfb1670b02840c9d82c45b253c95c3d |
| dnlib.net | 4.3.3 | bc31ff417afd536d83801cdbfee109fa8d4c40e8 |
| dnlib.net | 4.3.4 | 1b26ede77ab102de1f218ca8216af9909ef9062c |
| dnlib.net | 4.3.5 | a17f04247745e67d3fdc4e381ffa4bd22e031b5d |
| dnlib.net | 4.3.8 | 591c56a9a026c63e8f853488c02edea190d37268 |
| dnlib.net | 4.4.0 | c303c98da30fc8ccdcbf09fcefe9fe104dbda531 |
| dnlib.net | 4.4.2 | 045a35177df11f595d89341a0010e2968e41e7b2 |
| dnlib.net | 4.4.1 | 5d6fff9f3dbe78948c9fbd90a78ffacc47b868b7 |
| dnlib.net | 4.3.6 | c5fb7d7344d4eb793753048d3d9f7a719173fc6c |
| Fluentmail.Smtp | 4.5.78 | c547f249a8a75def0f3151a9a1c1ba3173990ca6 |
| Gunа.GUI | 3.0.4.8 | 5756692989b0f6c663a0116708c79dcc773d886a |
| Gunа.GUI | 3.0.4.9 | f226f6a70a424b31f08811a1d0a97ca7888d5ffc |
| Gunа.GUI | 2.0.4.6 | f187778e776453b3662d04c99145cd6072fcf636 |
| Gunа.GUI | 3.0.4.7 | 18c75b9ddeab5148a32342f9491f790e3a83f3bb |
| HarmonyX.Net | 1.23.7 | 1e96254dc1770ed1064c042947413296c2d71cc7 |
| HarmonyX.Net | 1.23.6 | 9b79e4a73fb7a730158a5ea239e0037bfa48bbb4 |
| HarmonyX.Net | 1.23.5 | b2f14c371ce2a80aa7e926e8490224400962d26b |
| KeyAuthAPI | 1.2.56 | 4f383f395e1fe3c6004f43d1f0776b63a6caadef |
| Lib.Harmony.net | 1.1.7 | 577cb4ca7aa3870959f6bcad1ca16f13ff818bdd |
| Lib.Harmony.net | 1.3.1 | fb6b60ea283580c4e5f293b377067095076e1b11 |
| Lib.Harmony.net | 1.3.3 | 5e44e9b212bda8aae9686d671c1ac01383119113 |
| Lib.Harmony.net | 1.8.9 | a5b0ea86f7df21bfebb13a4d49a01e0efd5885e4 |
| Lib.Harmony.net | 4.5.1 | d9fa8fbf74cd3d8a7c076ffa881e09c9d06f57f7 |
| Lib.Harmony.net | 4.8.6 | 078ece1631999572f798b80764f672d87eeadd89 |
| Lib.Harmony.net | 5.5.9 | 38a760468513892ed1862256a8155be0c48cd69c |
| Lib.Harmony.net | 7.5.3 | 8b14e1e9768ad9239790601240b99e5ee6bfc0b4 |
| Lib.Harmony.net | 7.6.6 | b07ba025b1f3f6dc40b7c1d951c0c3a2562591e1 |
| Lib.Harmony.net | 8.5.7 | e60127d6ac4de7955da11c54ac0527471d5c7dd6 |
| Litecoin | 12.56.75 | e28e0a66a86a3054b738958e1a56db5cdc5ee316 |
| Litecoin | 12.56.74 | f1e33676e19e353ed86f1f5189e3d90c139b3db2 |
| 2.5.8 | 13cebdfcbf0aca65288843af4b1f0e43e9d90dff | |
| 2.6.0 | 83ad10a307dd7e7613cb3f9561f087eabe65600e | |
| 2.5.9 | ce8461dc05e4fe32c6ccc409e690cffe85ad3f3e | |
| Merger | 4.2.6 | 14c31858d16ae02b5640c58e7018a453144054d0 |
| Nemesis.Essentials.Net | 1.3.4 | c0cda8a821efa0475663c8328ec30413ecdf6b4a |
| Nemesis.Essentials.Net | 2.1.8 | 4046e1d0d2e9bc2eda10c77d5da35618dfdfc3b8 |
| Nemesis.Essentials.Net | 2.2.7 | eb0d319df13e91882c2b690bc8beb3c9c41daf2d |
| Nemesis.Essentials.Net | 2.4.3 | 507ac1d74f7701f123c23c83e09fe2c912d9898a |
| Nemesis.Essentials.Net | 4.6.3 | 928ab32d2a8b2a09d7a0984068be71b17462a64a |
| Nemesis.Essentials.Net | 6.7.1 | c2cf5c3bddb6dbc7b3d20d4145c1dd044ffff374 |
| Nemesis.Essentials.Net | 6.8.8 | 8cd115ee0606ba5e78cff5ba35c383cb4f1b611a |
| Nemesis.Essentials.Net | 7.5.3 | ec873e1bef5fccfff331c13bbfaf5de746ed374c |
| Nemesis.Essentials.Net | 8.3.7 | 602e9156b1b1985934a71d71a184f75def029ecd |
| Nemesis.Essentials.Net | 8.7.7 | 5dd5daf65c3921620f5a3815188795eaee9dd21e |
| NotifyIcon.Net | 1.1.0 | cef6abbf0ad3d3e7bdf6f5185fe95398d7815a4b |
| NotifyIcon.Net | 1.1.1 | efcf3b75b078141ceeedeb4115cfd0ec4f4eabcf |
| NotifyIcon.Net | 1.1.2 | 2e835f45e528952c86f3f3911a10b34b96e9c584 |
| NotifyIcons | 4.6.3 | d48eb862bb4909951a11dd2513303fed7d921f97 |
| NotifyIcons | 4.6.4 | 98ea676a60f2ea9a115f1e83a2a87ac22f8a5ce8 |
| NotifyIcons | 4.6.5 | 69c3d8b33c1f87073abee6da0b19bd44e08f3fb6 |
| OtpCsharp | 2.1.0 | f8fe8deb6ee829be8834488d469bbfb7dd161b5e |
| OtpCsharp | 2.1.1 | faaf28bbee46262edf9e71664f272d196815ae64 |
| Pathoschild.Stardew.ModBuildConfig.Net | 4.8.8 | 4f9cee4d37de8087ffdf3e839ea60394b4d02c81 |
| Pathoschild.Stardew.ModBuildConfig.Net | 4.4.8 | ccff9d991c675109c30e9e12da0eed9c44d0fe57 |
| Pathoschild.Stardew.ModBuildConfig.Net | 6.4.8 | ec81baaf39e528118beb17794559378360e3dbde |
| Pathoschild.Stardew.ModBuildConfig.Net | 9.6.9 | 0c0bc4cbeec99713cbbceb8bdb13e3c13a4e25c4 |
| Pathoschild.Stardew.ModBuildConfig.Net | 6.2.6 | ce228ba42c324304b1f5f0435fd4d19cb4dc5138 |
| Pathoschild.Stardew.ModBuildConfig.Net | 1.4.7 | 662633bef3c2e2f30fa87c1b4278c35ca530aec3 |
| Pathoschild.Stardew.ModBuildConfig.Net | 9.2.9 | 5c3d7fbbab7418b9116c471b18b75b2a8ce109a7 |
| Pathoschild.Stardew.ModBuildConfig.Net | 1.5.6 | 07e6ee5af98baa0cbf94865c610d46553944eeb1 |
| Pathoschild.Stardew.ModBuildConfig.Net | 5.1.3 | 1e55e29d61711a43a9bd852aad1bf2588ac1c08d |
| Pathoschild.Stardew.ModBuildConfig.Net | 2.1.9 | e7e29beeebc1962a41b4a5c5bc276ac9703d01f4 |
| PayPalMerchant.SDK | 45.51.1 | 2640116a1f2c7a9beb4ae586c7cac1690fd8e176 |
| PayPalMerchant.SDK | 45.40.7 | 3c0249c7d38ea56f6eab2e9b3ac2e8f3dc50e211 |
| PayPalMerchant.SDK | 45.51.0 | a15d437dbfd52124c38eae5be786bab98abb101b |
| PayPalMerchant.SDK | 2.16.250 | 9975b11c5992fc443795378e531c6fe96a590fb2 |
| PayPalMerchant.SDK | 3.40.0 | f6772febfdac9ae87d6a0f836beb1d02da2ef829 |
| PayPalMerchant.SDK | 45.40.6 | 559725ab2c1f8a4c5cddfe84a20c5e49ff62dd10 |
| PayPalMerchant.SDK | 45.40.8 | 164b3f84eb8cf376562d0cbe6854defb7dc2c6b4 |
| PayPalMerchant.SDK | 45.41.0 | e6c0784c385653729397d373e39d72e952b8c1a1 |
| PayPalMerchant.SDK | 45.40.9 | 94258698594843d4dd89b2c2c11eef652c4953b0 |
| Portable.Xaml.Net | 1.0.4 | eda143248e626cb8d627c45cc80af46652dde14b |
| Portable.Xaml.Net | 1.0.3 | 8b2a02761bf09d11dea59dbbb48dea843699b4dc |
| Portable.Xaml.Net | 1.0.1 | c3d5fef91a357c9dba5c05d71e0ee886fd9ce986 |
| Portable.Xaml.Net | 1.0.0 | 86f080d3a67f92dd27cffa19ff4b4f5ee297633a |
| Portable.Xaml.Net | 1.0.2 | 3bea931b46ff75b2298b2498c7a9315451c7f290 |
| Portable.Xaml.Net | 1.0.5 | 4fb6ae4282883c3696b215d1a7ba661c6f172113 |
| ppy.osu.Game.Lib | 3.5.1 | f33c13c6fab5e84212d7e927c03b69871de5d1f0 |
| ppy.osu.Game.Lib | 4.1.4 | 6b0349f6e4bb145582ff5d3b5e9c39949d960fa4 |
| ppy.osu.Game.Lib | 4.6.6 | bc44b63c9aca834ecd5cff5bf3e45cfaec6b9c0f |
| ppy.osu.Game.Lib | 8.0.2 | ea610dbfe84d996acd906d1a095a555f14446a3a |
| ppy.osu.Game.Lib | 7.7.4 | 346993740f1f97ce291f4e56cd5b0f05681eea18 |
| ppy.osu.Game.Lib | 6.4.2 | df023669d25dc76d3d4bbd369fb6a27d8b3d51c4 |
| ppy.osu.Game.Lib | 5.7.8 | 5cfab772cd8a0876a3c5c27b592cf27ce874b131 |
| ppy.osu.Game.Lib | 5.1.7 | 1976276c4a07f818f17ea0e9638ecd23acbb0672 |
| ppy.osu.Game.Lib | 5.3.5 | 3db5b2e0a8d697a4cbaa4eadded342a83c0349cf |
| ppy.osu.Game.Lib | 2.4.4 | 9c9a4982d799caf89c90f46efba047f3a7fe5d9e |
| psbuiId | 1.1.1-beta | 44df956adb53481401b9bcc9a6663f80e716c529 |
| PubIishIgnore | 1.0.11-beta | d4ee5f24f3d9e88287da58a0286d0c907ab24527 |
| PublishIgnor | 1.0.11-beta | 116eb215f3711a241327f495e162df58fa59e24e |
| Reddit.api | 2.3.8 | 52ae6324efb68125e35e10b633d62ea0231a130f |
| Reddit.api | 3.2.4 | a7478a150b3f39eb70349ff865165f11a54b9609 |
| Reddit.api | 3.2.8 | 03f5849439a7e84706d7ce5b37447f0f28420813 |
| Reddit.api | 4.4.3 | 68357d1c1d26d9ee052b15e35c604cfaf39d8ee6 |
| Reddit.api | 6.9.3 | c2d934c58ea03fb51ba0d07ee46ee42b73d6135f |
| Reddit.api | 7.6.6 | eac0fb3023ae1d29e7328f71b80a3a9ddc7cef44 |
| Reddit.api | 7.7.4 | f4a4212d2e22cdac8d6670fe3eb618cd63e7cc85 |
| Reddit.api | 8.8.4 | ba1a4914894b64b6410794c03fb76b18096a9841 |
| Reddit.api | 8.8.6 | 820e848ff1bf523d48a1c80d275d2d81bd4ba046 |
| Reddit.api | 9.3.3 | df8e67053ddf3e7032de9b3b26b11a3e386576ad |
| Reothor.Lab.EvilPackage | 2.0.1 | a2c18519cc9e86e5fc6794ba88252605e2d14558 |
| Reothor.Lab.EvilPackage | 2.0.0 | cbbbb21a072e600c79f50c1bf1ce04fc4af069b9 |
| Reothor.Lab.EvilPackage | 4.4.4.4 | b271e4ab5fd2fb54510627139be14b768ad17e3f |
| Reothor.Lab.EvilPackage | 1.3.3.7 | ca0bb5fdc55f3a357c0886d952998eedfa0616ce |
| Reothor.Lab.EvilPackage | 200.0.0 | ea3603c5c3344b84600ff1c0a1d19e8e9166fef5 |
| Reothor.Lab.EvilPackage | 4.4.5.5 | b971184ce8c1139aaf9a6c8b5d759fd1999edfc0 |
| Reothor.Lab.EvilPackage | 100.0.0 | 6989e1c80f57097db738b5691eb58d2b7393396e |
| Rg.Plugins.Popups.Net | 3.4.0 | 1390986940342afc8cbb1971206d8a7766a47cf8 |
| Rimworld.Reference.Libary | 7.7.7 | 85557704e1e3d7a8656dd24b7b922f62d08b9d7d |
| Rimworld.Reference.Libary | 7.2.5 | 152b80f2f17c550be6ce5e63ba0dd71b009585e4 |
| Rimworld.Reference.Libary | 3.0.4 | 6497c9156dd34dd4a6223fd3ac745da578c8acc1 |
| Rimworld.Reference.Libary | 2.7.8 | f100f49b51436ae0ef9d98daf25b3083d35e18ae |
| Rimworld.Reference.Libary | 8.4.0 | 702207c5ba78ea268441231728adcf22be4faf48 |
| Rimworld.Reference.Libary | 8.6.8 | 91bb8e1f27249f5fac2fcc4374193b41ba60f01d |
| Rimworld.Reference.Libary | 4.4.7 | 27336053d60a288bfb4c96450275123c275c13f5 |
| Rimworld.Reference.Libary | 2.4.8 | 124db2687b848b4e219cc5fc5df7cf67c421c545 |
| Rimworld.Reference.Libary | 5.3.0 | 3eef35ea27babaab9b626b9594467f3381d90926 |
| Rimworld.References.Net | 1.8.2 | daf6c24b1235c4b98f71a0dc59c402c605e69919 |
| Rimworld.References.Net | 4.3.0 | 1a52adf422f2e1827e071066d2d9d1b3f042545c |
| Rimworld.References.Net | 0.1.3 | 8de22bf2e2b0b7fb85d6b7a42371f552b3e7bfec |
| Rimworld.References.Net | 7.5.0 | b57308feb84789768e2e3ec498e3526ba21e0d56 |
| Rimworld.References.Net | 2.5.0 | 9f4ef943122cdc52fdba518213983522b73db6dc |
| Rimworld.References.Net | 1.0.6 | 3779208b290b91834824241427f5a4eb5d343777 |
| Rimworld.References.Net | 1.6.2 | fd8ade952069e03ae2a17a6acdafd7ab585c85b6 |
| Rimworld.References.Net | 8.5.0 | b6448e9d0ada9a344cbe377e1ef9d8bb2b694383 |
| Rimworld.References.Net | 4.1.2 | d1159076ab9df1f421a289e392b7b44441e479da |
| Rimworld.References.Net | 6.4.6 | e9bf0279abcc72967e41c65a4a56b39067ed9132 |
| Sanka.UI2.WinForms | 0.1.5 | 021ba37c4479e3c5e638cd26b2d8c1a85dd7437b |
| Sanka.UI2.WinForms | 0.1.6 | 9cac6c1ca2772fca1babf9325bd9ed7315621c72 |
| Sanka.UI2.WinForms | 0.1.8 | 0a1b6213323c645b462e333ff5a1928deace1234 |
| Sanka.UI2.WinForms | 0.1.7 | 35cd3d9975ee7b740b58696673d158737b75ce13 |
| Sanka.UI3.WinForms | 3.7.9.6 | f71c516d25028ea22761128f01f0248c7ba47fd4 |
| Sanka.UI3.WinForms | 3.8.9.6 | 5b738c0aa14bf2e6e23e2a709bb2d2a66b1877b5 |
| Shade.UI.WinForms | 1.7.3.6 | e1dd57016ac131709a98378f9603976955c726a0 |
| Shade.UI.WinForms | 1.7.3.5 | 2da61a4192111ee7175c6aa9f05816d8131a32af |
| Shade.UI.WinForms | 1.7.3.4 | 6b78eb02ca126300b28fafcc972c59c0830f4d56 |
| Shade.WPF.Controls | 1.46.6 | 9f0dceb3ea60c9e8005f95f46f71773159d2dd32 |
| Shade.WPF.Controls | 1.46.7 | 83255dd6ff2c776a94f5570581e4cacae008b9ac |
| Soenneker.Redis.Util.Net | 1.3.4 | a99ee2485ae64db915884e8c9fe9792848800c3b |
| Soenneker.Redis.Util.Net | 1.4.5 | 86de3eee29d8537bce409a890e38c7bddc1f8973 |
| Soenneker.Redis.Util.Net | 1.6.9 | 8a7558650aa62cd59feaa4abc857421771a73fca |
| Soenneker.Redis.Util.Net | 1.7.6 | 074b308ba96ebeb579298345443ab394ca3f7fc7 |
| Soenneker.Redis.Util.Net | 2.1.3 | 93f1f98ddaeb7c53156991b677eb5f01a8f97fc0 |
| Soenneker.Redis.Util.Net | 2.2.7 | 75127baba9a66291513739dc0685ae0479ad661d |
| Soenneker.Redis.Util.Net | 2.5.6 | d2c0c6f04d208aef79218bc82af2e90e91bf0081 |
| Soenneker.Redis.Util.Net | 2.6.7 | 81e9b0f826929b71801dea8c17a4e38bb3063ce4 |
| Soenneker.Redis.Util.Net | 3.2.9 | 75d8820eb6cbcd1725ca231811cc88711bc50139 |
| Soenneker.Redis.Util.Net | 3.3.1 | 5c11f4d01cd61c9d038a26b4b936c1968c8ba07d |
| Soenneker.Redis.Util.Net | 3.3.5 | 4c632adf228e074faffe2246c1eb84c2413cfaec |
| Soenneker.Redis.Util.Net | 3.4.5 | 2fc984b5c3d40cdfd5a0d2de90bb10a7448fc188 |
| Soenneker.Redis.Util.Net | 3.6.7 | dfe2fed2e93cd750cda2d609e3f01c9e6217976c |
| Soenneker.Redis.Util.Net | 3.7.2 | 801e2c789f189a2fac498ff3a842f57468ae1239 |
| Soenneker.Redis.Util.Net | 4.2.4 | 26a5b39fabd7b02308d4df9e237f8f6c5c23b07d |
| Soenneker.Redis.Util.Net | 4.4.3 | fb9e6721945c3d6211d38dd1b38da0cdb86ee5d3 |
| Soenneker.Redis.Util.Net | 4.5.8 | 7e26ee619d426ad1f50a6ded5bf3418ccc870c83 |
| Soenneker.Redis.Util.Net | 4.8.8 | c465e88c0c8f54f90aac7e6c0e10be0225636091 |
| Soenneker.Redis.Util.Net | 5.5.4 | 9755bef3d303709ddabae59bddac6ec3a530dcc6 |
| Soenneker.Redis.Util.Net | 5.6.2 | ab6a88b4659864976972a37e49dc3d8449d9708d |
| Soenneker.Redis.Util.Net | 5.6.6 | 9291c1596839620c692f0b12f3576f938934f5f9 |
| Soenneker.Redis.Util.Net | 5.7.3 | 71e04ec6dd454dee6bfc9217e5dd4143568c9466 |
| Soenneker.Redis.Util.Net | 5.8.6 | fce31bc63909b6cca53be9ab6fd8f4490ca49eaf |
| Soenneker.Redis.Util.Net | 6.2.3 | 9f7b0384bce27cc8b340ba15ec9fd7515a5f7b3c |
| Soenneker.Redis.Util.Net | 6.3.4 | b9404e70a5b380f4a3fdfb0b23d13acc26e837fc |
| Soenneker.Redis.Util.Net | 6.4.5 | 0d2d997fd8cbff1f35f8bbb487ca0751c079e1df |
| Soenneker.Redis.Util.Net | 6.5.7 | ee6853d57708526b454cb1f8efc488fc33bc5ddb |
| Soenneker.Redis.Util.Net | 7.1.4 | 6f4c54994fa660d0c5643a3a401f35033d37c530 |
| Soenneker.Redis.Util.Net | 7.1.6 | 7825b8986521ca8718454a400a2373fe4a9e05fb |
| Soenneker.Redis.Util.Net | 7.3.9 | 72f07b8025047123906b348c6fec32c45defd75c |
| Soenneker.Redis.Util.Net | 7.4.2 | 0b484ed26a7a8900a9815064003efffd8db73c4b |
| Soenneker.Redis.Util.Net | 7.5.1 | 581eee2564569ac0798e3644d9e569ad759b3dc3 |
| Soenneker.Redis.Util.Net | 7.7.2 | 5c8dd7a0e17ae8d1d95d68ba884d2a59a7caa0bc |
| Soenneker.Redis.Util.Net | 8.1.9 | 07e8bf55b438dd37402893ce4bd330a16be43f60 |
| Soenneker.Redis.Util.Net | 8.2.5 | 7e06cbc51bc7cca89a0ff68b102bb66aded3c513 |
| Soenneker.Redis.Util.Net | 8.7.5 | 5ab81a0003a2022b855f48ad01e10ffe5ddab953 |
| Soenneker.Redis.Util.Net | 8.8.4 | 6f952a264eca42faa95876bc29c1a603a4206a15 |
| Soenneker.Redis.Util.Net | 8.9.5 | 598c28706be67c1e43afff34eef0779bce67e58a |
| Soenneker.Redis.Util.Net | 9.1.4 | 419c719a957ea805f80a3cd9edf3e66e8edbe501 |
| Soenneker.Redis.Util.Net | 9.3.4 | adc850e0e58aec4fb0de10100e14ba99afbd328e |
| Soenneker.Redis.Util.Net | 9.7.6 | 410d5eb872ebc2ae06f77a1cae613ad2693ae2b0 |
| Soenneker.Redis.Util.Net | 9.8.9 | 7f6a46a7777521b0352d73a14709a9a0efbec1ae |
| Solana | 34.66.21 | 5a94d4bdfe6433004b0890ef7b9691872f7d006a |
| Solana | 34.66.22 | 973d84e4e494d58b6f6573cd6e6044741f7564a6 |
| TheOpenAI.API | 1.0.2 | 61ea33ffd34d687bbaf344b5b84c569ad0020f53 |
| TheOpenAI.API | 1.0.1 | 21b674ac5e0d3b68ba8a76e62d375c94e7bd1cb5 |
| TheOpenAI.API | 1.0.0 | a82a0721b61cea297907b1637cdbfd61f9088df2 |
| TheOpenAI.API | 1.1.4 | 2c24d9cfe3f07c25fcf7f4f4b9f0314aef1d76fa |
| TheOpenAI.API | 1.1.5 | 409575623b0779aae4bebc7cbcff6c352f50b64d |
| TheOpenAI.API | 1.0.3 | 3f11ad3c26f786abfeafd5959c803552d7780cbe |
| TheOpenAI.API | 1.1.3 | 2ca5490256704ca655e0d37fbe437934a3c0ab1c |
| Ultimate.Wpf.Toolkit | 4.6.0 | f6c52f8f0747c636dba7eb8ee1c261377d893438 |
| Ultimate.Wpf.Toolkit | 4.6.1 | f980768e0add46614cf0d1c0275b78ca7f41570e |
| Whatsapp.API | 1.8.6 | 30cbfa461a7f9206c682392fff64c0586043fea6 |
| Whatsapp.API | 3.5.9 | 2fa07f99bc336c3687c741057ebae9ae7d07c509 |
| Whatsapp.API | 4.2.3 | f3f9a03538932c175c0055adbddee83f104a3cc6 |
| Whatsapp.API | 5.8.7 | a26dcaeacfc436d93415f0b32092572f5ad8ee88 |
| Whatsapp.API | 6.3.7 | c72b7bdcb8a3e0942eb83f6c525ef7d1f25f4126 |
| Whatsapp.API | 6.5.6 | 51e8f889957325b61d3070f957d8f2c3dcd670c5 |
| Whatsapp.API | 6.6.5 | ca24df24841d94e81a9d679feb46a1a7d9550e3b |
| Whatsapp.API | 8.4.2 | ad6e3bdc850316932306a59ab49e4b7e2650964b |
| Whatsapp.API | 8.6.4 | b87e95fef1856322638978de04b246748d7db2f7 |
| Whatsapp.API | 9.6.7 | 362f28840d8f06ac04eb7c78c1b9ee6e1947fd8a |
| Winforms | 3.56.6 | aa2907bbf324f80ed7eabbdd21900e1202b54290 |
| Winforms | 3.56.7 | 9bd8f234a136f011d8d3a55e3b7d10904ce98a18 |
| Zendesk-Api | 12.58.0 | 24a16a6964038a87ca305dea59a5317967c6e8be |
| Zendesk-Api | 12.57.8 | 289288649926450637fe4b61b8a6d3090ace6fa6 |
| Zendesk-Api | 12.57.9 | 2240486c45540c8d65acc8885be015dba22c9495 |
URLs:
| URL |
| https://nazi.igboat.com |
Petar Kirhmajer contributed to this research post.
