The campaign began in July 2025 and includes 14 malicious packages that impersonate legitimate .NET crypto development libraries. Among these is a fake library called Netherеum all, which mimics Nethereum, a well-known .NET integration library for Ethereum.
According to RL, the malicious packages were distributed under names that resembled legitimate crypto-related tools, such as Solnet, NBitcoin, and Coinbase.Net.
Although they appeared functional and trustworthy, hidden malicious code was embedded within them. Once installed, the malware collected sensitive wallet data, manipulated transaction behavior, or stole OAuth tokens used for Google Ads accounts.
RL classified the 14 packages into three functional groups. Nine of them, including Netherеum.All acted as wallet stealers.
They added malicious code that executed a hidden function called “Shuffle,” which secretly gathered wallet addresses, private keys, seed phrases, and Wallet Import Format (WIF) keys.
The stolen data was transmitted to a remote command-and-control URL hxxps://solananetworkinstance[.]info/api/gads cleverly disguised to appear to be a legitimate Solana-related domain.
Another group of packages redirected crypto transactions to attacker-controlled wallets. For instance, the Coinbase.Net.Api package modified code inside the “SendMoneyAsync” function, replacing the transaction destination with the attacker’s wallet address.
Only transfers exceeding $100 were affected, helping the attackers evade rapid detection while steadily siphoning funds.
The final group included Google Ads.API, exfiltrated OAuth credentials from developers’ Google Ads accounts, giving threat actors full access to campaigns and the ability to spend funds fraudulently.
To make the malicious packages appear legitimate, threat actors relied on social engineering tactics such as homoglyph attacks, where lookalike characters were used in package names, version bumping to simulate regular updates, and artificially inflated download counts to suggest broad adoption.
These convincing metrics fostered misplaced trust among developers and increased the likelihood of installation.
ReversingLabs warned that while developers were the first targets, the risk extended downstream, as projects built with these compromised dependencies could expose end users and entire organizations to credential theft or crypto losses.
Researchers urged developers to verify package authenticity, examine code for obfuscation, and rely on platforms like Spectra Assure Community for pre-installation analysis.
This campaign underscores that even trusted repositories like NuGet are vulnerable to malicious infiltration, reinforcing that trust remains the weakest link in the open-source software supply chain.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Malicious NuGet Package Masquerades as .NET Library to Steal Crypto Wallets and OAuth Tokens appeared first on Cyber Security News.
Kali Linux has officially introduced a native AI-assisted penetration testing workflow, enabling security professionals to…
PHILADELPHIA (AP) — Lawyers for student protesters detained in Pennsylvania for four days after a…
For what is believed to be the first time, the state plans to ask the…
Sarah Zuech teaches her four kids that charity begins at home. A person’s first responsibility,…
The Rockford School Board voted unanimously to approve new teacher contracts Wednesday night. This comes…
Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products that threat actors…
This website uses cookies.