Malicious NuGet package steals cryptocurrency wallets

Coverage from The Hacker News indicates a sophisticated cybersecurity threat has been operating undetected for nearly six years. Researchers have uncovered a malicious NuGet package designed to impersonate a legitimate .NET tracing library, ultimately functioning as a cryptocurrency wallet stealer.

The package, named "Tracer.Fody.NLog," was published in February 2020 and remained on the repository with over 2,000 downloads. It closely mimicked the legitimate "Tracer.Fody" library by using a nearly identical author name and even Cyrillic lookalike characters. Once integrated into a project, the malicious code silently scans for Stratis cryptocurrency wallet files and passwords, exfiltrating this sensitive data to a Russian-hosted IP address. The attack method was designed to evade detection, with malicious routines hidden within common functions and exceptions handled silently to avoid application errors.

This incident highlights the persistent risks within software supply chains and the effectiveness of typosquatting attacks. The reuse of the same IP address in a previous NuGet impersonation attack suggests a coordinated effort by threat actors. Developers and organizations must exercise extreme caution when incorporating third-party libraries, verifying package authenticity and author credentials rigorously.

Source: The Hacker News