Malicious NuGet Packages Mimic as Popular Nethereum Project to Steal Wallet Keys

Malicious NuGet Packages Mimic as Popular Nethereum Project to Steal Wallet Keys

A sophisticated supply chain attack has emerged targeting cryptocurrency developers through the NuGet package ecosystem.

Cybersecurity researchers have uncovered malicious packages impersonating Nethereum, a widely trusted .NET library for Ethereum blockchain interactions with tens of millions of downloads.

The counterfeit packages, identified as Netherеum.All and NethereumNet, employ advanced obfuscation techniques to exfiltrate sensitive wallet credentials including private keys, mnemonics, keystore JSON files, and signed transaction data.

The attack leverages a homoglyph typosquatting technique, replacing the Latin letter “e” with a visually identical Cyrillic character (U+0435) in the package name Netherеum.All.

This subtle Unicode substitution makes the fraudulent package nearly indistinguishable from the legitimate Nethereum library during casual inspection.

The malicious package was first published on October 16, 2025, and remained active until NuGet removed it on October 20, 2025, after receiving security reports.

google

Socket.dev analysts identified the threat during routine scanning operations, uncovering a coordinated campaign by a single threat actor operating under two NuGet publisher aliases: nethereumgroup and NethereumCsharp.

Malicious NuGet Packages Mimic as Popular Nethereum Project to Steal Wallet Keys
NuGet search results show the malicious Netherеum (Source – Socket.dev)

Both malicious packages incorporated identical exfiltration mechanisms and utilized artificial download inflation tactics, with Netherеum.All displaying an implausible 11.6 million downloads within days of publication.

This manufactured popularity metric created a false sense of legitimacy, potentially deceiving developers during package selection.

The packages appeared functional, referencing genuine Nethereum dependencies such as Nethereum.Hex, Nethereum.Signer, and Nethereum.Util, ensuring normal compilation and expected Ethereum operations.

However, the malicious code remained dormant until specific wallet-related functions were invoked, activating the concealed exfiltration mechanism.

Technical Mechanism and Payload Analysis

The malware’s core functionality resides within EIP70221TransactionService.Shuffle, which implements a position-based XOR decoding routine to reveal the command-and-control endpoint at runtime.

The obfuscated seed string undergoes XOR operations with a 44-byte mask, decoding to https://solananetworkinstance[.]info/api/gads.

When wallet operations are executed, the malicious method captures sensitive data and transmits it via HTTPS POST request with a form field named “message”, effectively stealing credentials while maintaining the appearance of legitimate blockchain interactions.

The attack demonstrates sophisticated supply chain compromise tactics, combining Unicode homoglyphs, download manipulation, and runtime obfuscation to bypass security controls and target cryptocurrency assets.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.