Malicious Package Affecting sqlunicorn.core package, versions [0,]

Q: How to fix?

Avoid using all malicious instances of the SqlUnicorn.Core package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-DOTNET-SQLUNICORNCORE-13849414
published7 Nov 2025
disclosed7 Nov 2025
creditSocket's Threat Research Team

Report a new vulnerability Found a mistake?

Introduced: 7 Nov 2025

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the SqlUnicorn.Core package.

Overview

SqlUnicorn.Core is a malicious package. This package contains malicious code that injects time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 together with 8 other malicious packages between 2023 and 2024, these packages terminate the host application process with 20% probability on each database query after specific trigger dates in 2027 and 2028.

The content of this package was removed from NuGet.

References

Blog Post

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None