I am looking for one or more nuget packages that intentionally contain vulnerabilities. I want to test some security tools that should be able to pick up such nugets in my projects automatically and notify me, but I am having trouble finding any.
If you go to the GitHub Advisories Database, you can click on the NuGet ecosystem.
The first advisory listed at the time I'm writing this lists 4 packages affected, although they're all runtime packages, so maybe you don't want to test with this package.
The first advisory that is not part of the .NET runtime at the time I'm writing this is for a package called Snappier, and going to the package detail page, versions tab on nuget.org, I can see that version 1.1.0 is listed as having a known vulnerability.
You might also be interested in this advisory on Newtonsoft.Json, which affects all older versions of the package, which is notable since Newtonsoft.Json is a very commonly used package, either directly or transitively though direct package dependencies. (nuget.org org link to package details)