NuGet Repository Overview

NuGet Repository Overview

Recently, the software supply chain security firm ReversingLabs reported a malware campaign affecting several hundred packages published to the NuGet package manager. In this campaign, the malware authors sought to impersonate popular vendors, including CData, with software packages that would install malware.

The CData Security Team has investigated this as a high-priority issue and has confirmed that none of the official software packages from CData Software have been compromised.

Typosquatting attacks have become increasingly common across online package managers. In this instance, the malware authors published packages with package names that make them look as if they came from CData:

• CData.NetSuite.Net.Framework
• CData.Salesforce.Net.Framework
• CData.Snowflake.API
• CData.Snowflake.EntityFramework.Net

CData never published these packages, and they are completely unrelated to our NuGet account. All CData NuGet packages are named using these two naming conventions:

• CData.DataSource
• CData.DataSource.EntityFrameworkCore

Furthermore, CData NuGet packages are exclusively published from our official NuGet account CDataSoftware: https://www.nuget.org/profiles/CDataSoftware

If you are concerned that you may be impacted, please open Visual Studio and review your installed CData packages. Valid packages will follow the described naming convention and will display "CData Software, Inc." as the package's author. e.g.

CData understands the importance of security and is committed to managing its products and services with the most advanced security technologies possible for customers around the world. In the future weeks, CData will move towards signing the code that we list in NuGet, as we do with all of the software installers that we ship directly from the CData website. Code signing provides an extra layer of security for end-users to verify that the code they receive has not been altered or compromised by a third party.