As digital currency continues to grow, so do the methods used by cybercriminals to steal it. Recently, a major cybersecurity threat was found on NuGet, a popular platform where software developers find building blocks for their apps. The discovery was made by software security firm ReversingLabs (RL) and publicly disclosed on Monday.
Sneaky Tactics to Build Trust
RL researchers found that since July 2025, a group of hackers has been uploading “poisoned” code packages designed to look like trusted tools. However, they didn’t just upload malicious code; they used psychological tricks.
For instance, they used homoglyphs, which is a method involving using letters that look identical to the naked eye but are different to a computer. A key example is the package Netherеum.All, which used a special “е” to impersonate a famous Ethereum library.
To make the scam even more convincing, the hackers used version bumping (releasing dozens of updates in a short time to mimic a busy, reliable project). Some packages even featured fake download counts in the millions to trick developers into thinking the community already trusted the code.
“RL researchers have discovered a malicious #NuGet package that is impersonating “#Netherum,” a popular #Ethereum library. It has over 10M downloads, but these are most definitely artificially inflated,” ReversingLabs’ posted on X (formerly Twitter).
Who Was Behind the Attacks?
Regarding who was behind this wave of attacks, researchers observed that a package called SolnetAll was deleted before it could be fully studied. However, further probing revealed it was linked to an author named DamienMcdougal.
This is a significant name because the same author was responsible for other theft-related packages, like NBitcoin.Unified. It appears these attackers are persistent, often moving to a new fake name once they are caught, researchers wrote in the blog post shared exclusively with Hackread.com.
Three Ways the Money Disappears
The 14 packages found by ReversingLabs were split into three groups:
9 packages were built to snatch seed phrases and private keys (the master passwords for a crypto wallet). “Malicious code has been subtly injected” into these tools, researchers noted, so it only activates when a user is most vulnerable.
A second group, including Coinbase.Net.Api, used a different trick. If a user tried to send crypto, the malware would quietly swap the destination address with the hacker’s wallet for any transaction over $100.
The package GoogleAds.API focused on stealing OAuth tokens. These tokens allow a hacker to log into a Google Ads account without a password, potentially spending the victim’s money on fraudulent ads.
A Risk to the Whole Community
The impact isn’t limited to the person who downloads the tool. Because these packages are used to build other apps, a developer might accidentally include the stolen code in a product they sell, passing the infection “downstream” to thousands of innocent users. This campaign proves that trust is often the weakest link in digital security.