Jimmy Wylie
@mayahustle.com
I look for ICS threats, and spend a lot of time reverse engineering.
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Distinguished Malware Analyst @ Dragos.
Lead Analyst on TRISIS and PIPEDREAM.
He/Him
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post.
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
socket.dev
November 11, 2025 at 5:31 PM
Props to their Threat Research team for identifying and publicizing these harmful packages. If you want to understand what the code does, check out their post.
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
Bottom line: Always verify your dependencies and their sources!
socket.dev/blog/9-ma...
6/6
The evidence also doesn't rule out security research as an explanation.
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
November 11, 2025 at 5:31 PM
The evidence also doesn't rule out security research as an explanation.
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
I’d give this a low confidence assessment for malicious intent. That said, it's normal for analysts to reach different conclusions, and this isn't a criticism of Socket's solid technical analysis.
5/6
- The lure isn't convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
November 11, 2025 at 5:31 PM
- The lure isn't convincing.
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
- The packages are unpopular (even by Socket's metrics), so infection of new projects seems improbable.
- Why would existing projects switch to the malicious dependencies?
- There's no C2 code to confirm victims. How would an attacker know if this worked?
4/6
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it’s not a particularly effective one. Several factors give me pause:
3/6
3/6
November 11, 2025 at 5:31 PM
While I agree the code is harmful and the packages are suspicious, I'm not convinced about the supply chain attack angle -- or if it is one, it’s not a particularly effective one. Several factors give me pause:
3/6
3/6
No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
2/6
2/6
November 11, 2025 at 5:30 PM
No legitimate projects were compromised, and no S7, Sharp7, or Siemens codebases were modified. Socket identified packages published by a separate user ("shanhai666") containing code that probabilistically kills host processes and causes database write failures within specific date ranges.
2/6
2/6
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. He has a problem.”
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
Modbus Offset vs. Addressing: Why Does It Matter?
Discover the relationship between the Modbus address used by TOP Server and the physical offset in a device when enabling/disabling Zero-Based Addressing.
blog.softwaretoolbox.com
October 31, 2025 at 5:18 PM
“No, that’s my neighbor, Bobby. I live at 502, but you have to write 501 on the package or the mail carrier brings it to the wrong house. He has a problem.”
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
ICS is fun. This blog covers the problem:
blog.softwaretoolbox.com/topserver-mo...
(H/T to Reid Wightman for inspiring this post)
(2/2)
Other questions I'm exploring:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
October 27, 2025 at 2:04 PM
Other questions I'm exploring:
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
How much does AI know about ICS protocols?
Does AI truly lower the barrier for entry? If not, is that an AI limitation or am I just "holding it wrong"?
Is it shortening my development time? Or solving some problems but creating new ones for a net-zero benefit?
2/2
MinusOne, a deobfuscation engine for scripting languages: github.com/airbus-ce...
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
GitHub - airbus-cert/minusone: Powershell Linter
Powershell Linter. Contribute to airbus-cert/minusone development by creating an account on GitHub.
github.com
October 24, 2025 at 7:58 PM
MinusOne, a deobfuscation engine for scripting languages: github.com/airbus-ce...
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
EPIC Erebus for PCIe and DMA attack research: www.crowdsupply.com/...
3/3
Here are a few of the projects I enjoyed learning about this time around:
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
GitHub - cisagov/thorium: A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale.
A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale. - cisagov/thorium
github.com
October 24, 2025 at 7:58 PM
Here are a few of the projects I enjoyed learning about this time around:
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
Thorium Malware Pipeline: github.com/cisagov/t...
CTADL Static Taint Analysis Tool: github.com/sandialab...
2/3
I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.
October 10, 2025 at 6:40 PM
I couldn’t think of a picture, so here’s an image from an old show that probably planted the seed for me to become a malware analyst.
I enjoyed it, but I’ll readily admit, it’s not for everyone.
October 8, 2025 at 4:45 PM
I enjoyed it, but I’ll readily admit, it’s not for everyone.
I learned about it reading Orange’s write up in Phrack72: phrack.org/issues/72...
And the blog post it references here by Orange and Splitline: devco.re/blog/2025/0...
Both of these are excellent write ups and great reads if you’re into vulnerability research, CTFs, or hacker history.
3/3
And the blog post it references here by Orange and Splitline: devco.re/blog/2025/0...
Both of these are excellent write ups and great reads if you’re into vulnerability research, CTFs, or hacker history.
3/3
The Art of PHP - My CTF Journey and Untold Stories!
Click to read the article on phrack
phrack.org
September 19, 2025 at 6:59 PM
I learned about it reading Orange’s write up in Phrack72: phrack.org/issues/72...
And the blog post it references here by Orange and Splitline: devco.re/blog/2025/0...
Both of these are excellent write ups and great reads if you’re into vulnerability research, CTFs, or hacker history.
3/3
And the blog post it references here by Orange and Splitline: devco.re/blog/2025/0...
Both of these are excellent write ups and great reads if you’re into vulnerability research, CTFs, or hacker history.
3/3