Malicious NuGet Package Steals Cryptocurrency Wallet Data

Cybersecurity researchers have discovered a malicious NuGet package named 'Tracer.Fody.NLog' that typosquats and impersonates the legitimate .NET tracing library 'Tracer.Fody'. This package was published by a user named 'csnemess' on February 26, 2020, and has been available on the repository for nearly six years.

Despite being downloaded at least 2,000 times, it has recently attracted attention for its malicious behavior, with 19 downloads occurring in the last six weeks for version 3.2.4. According to Socket security researcher Kirill Boychenko, the package functions as a cryptocurrency wallet stealer, scanning the default Stratis wallet directory, reading '*.wallet.json' files, and exfiltrating wallet data along with passwords to an IP address in Russia, specifically 176.113.82[.]163.

The threat leverages various tactics to avoid detection, such as mimicking the legitimate maintainer's name and using Cyrillic lookalike characters in the code. It also hides its malicious routine within a generic helper function called 'Guard.NotNull', ensuring that all exceptions are silenced, allowing the host application to run without visible errors while data is exfiltrated.

This IP address was previously linked to another NuGet impersonation attack in December 2023, where a package named 'Cleary.AsyncExtensions' was published to siphon wallet seed phrases. The findings underscore the risks associated with malicious typosquats in open-source ecosystems, prompting Socket to warn that defenders should expect to see similar activities targeting other logging and tracing integrations and utility packages common in .NET projects.