IRAOAuth2.0

IRAOAuth2.0 is a malicious NuGet package used in a software supply-chain campaign targeting ASP.NET web application developers. It was one of four related packages published between August 12 and 21, 2024 by the NuGet account "hamzazaheer"; the others were NCryptYo, DOMOAuth2_, and SimpleWriter_. The campaign accumulated more than 4,500 downloads before the packages were removed following responsible disclosure.

IRAOAuth2.0 is a companion payload in a multi-package attack chain. The campaign activates only after all four packages are installed. NCryptYo functions as the stage-1 dropper, executing on assembly load, installing JIT hooks, decrypting embedded payloads, and deploying a stage-2 localhost proxy on 127.0.0.1:7152. IRAOAuth2.0 then communicates with that local proxy rather than directly with attacker infrastructure; the proxy relays traffic to an external C2 whose address is dynamically resolved at runtime.

Its primary capability is exfiltration and manipulation of ASP.NET Identity authorization data. Researchers reported that IRAOAuth2.0 transmits ASP.NET Identity data, including user accounts and role/permission mappings, through the local proxy to attacker-controlled infrastructure. It implements the same four data exfiltration endpoints as DOMOAuth2_, corresponding to get-permissions, get-role-permissions, update-role-permissions, and update-user-permissions. The C2 can return authorization rules that are processed by the victim application, enabling persistent backdoors such as granting admin roles, modifying access controls, or disabling security checks in deployed applications.

IRAOAuth2.0 removes configurability compared with DOMOAuth2_. It ignores any caller-provided AuthKey and instead inlines a hardcoded authentication token. Reporting also states that DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ share a byte-identical embedded credential that decodes to a common API key and ProjectId used to authenticate to the same C2 infrastructure. The decoded ProjectId was reported as 06062730-b307-48a6-a7c3-140e6bae4587, and the Auth string begins with "9ujkh@(ik#@!mpoid-0ePpasj@onbxwWmi@lllmcoPiKe...".

Additional reported artifacts linking IRAOAuth2.0 to the broader campaign include shared build metadata and source path exposure. Assembly metadata indicated builds on Windows NT 10.0.22631 using NuGet Pack 6.10.0.97 with LangVersion 12.0 and unsafe code enabled. Exposed PDB paths included E:\Projects\A-Mark\Authorization\OAuth2.0\ for DOMOAuth2_ and IRAOAuth2.0, supporting common authorship across the package set. Researchers also noted that IRAOAuth2.0 references a dependency named Shared v1.0.0 for model types not present in the public NuGet package "Shared" by EagleTM, suggesting a broken or private dependency.

The reported objective of the campaign was not primarily to compromise developer workstations directly, but to compromise ASP.NET applications built with the malicious dependencies so that production deployments continue exfiltrating authorization data and accepting attacker-controlled permission changes.