Cybersecurity / Cryptocurrency

AgentSOC researchers are tracking a malicious NuGet package that typosquats and impersonates a widely used .NET tracing library and its maintainer in order to deploy a cryptocurrency wallet stealer into developer environments and downstream workloads.

The package, “Tracer.Fody.NLog,” has persisted in the NuGet ecosystem for almost six years. It was uploaded by an account named “csnemess” on February 26, 2020. It poses as “Tracer.Fody,” which is legitimately maintained by “csnemes.” The rogue package is still live at the time of analysis and has accumulated at least 2,000 downloads, including 19 downloads of version 3.2.4 over the past six weeks.

“It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer,” Socket security researcher Kirill Boychenko said. “Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176.113.82[.]163.”

The software supply chain security vendor notes that the actor relies on several evasion techniques to slip past a quick package review: closely cloning the legitimate maintainer identity with a one-letter difference in the username (“csnemes” vs. “csnemess”), using Cyrillic homoglyphs within the source, and burying the exfiltration logic inside a seemingly benign helper method (“Guard.NotNull”) that is expected to run during normal application execution.

Once a project pulls in the malicious dependency, the behavior is triggered during runtime: it enumerates the default Stratis wallet path on Windows (“%APPDATA%\\StratisNode\\stratis\\StratisMain”), reads any *.wallet.json files and associated in-memory passwords, then exfiltrates this data to the Russian-hosted IP address.

“All exceptions are silently caught, so even if the exfiltration fails, the host application continues to run without any visible error while successful calls quietly leak wallet data to the threat actor’s infrastructure,” Boychenko said.

Socket reports that the same IP address was previously observed in December 2023 in connection with another NuGet impersonation campaign. In that case, the actor published a package called “Cleary.AsyncExtensions” under the username “stevencleary,” embedding code to capture wallet seed phrases. The name choice was intended to pass as the legitimate AsyncEx NuGet library.

The case further demonstrates how malicious typosquatted packages that mirror trusted tooling can operate quietly in public open-source ecosystems, often remaining undetected by both developers and downstream security monitoring.

“Defenders should expect to see similar activity and follow-on implants that extend this pattern,” Socket said. “Likely targets include other logging and tracing integrations, argument validation libraries, and utility packages that are common in .NET projects.”

To stay ahead of this class of threats, SOC teams should continuously monitor developer and CI environments for anomalous package activity, unusual outbound connections tied to build artifacts, and unexpected access to wallet directories or secrets stores.