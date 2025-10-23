Threat Intelligence, Supply chain

Typosquatted Nethereum package seeks to pilfer crypto wallet keys

Intrusions exfiltrating cryptocurrency wallet keys have been facilitated by a malicious package impersonating the widely used Ethereum .NET integration platform Nethereum uploaded to the NuGet package manager, The Hacker News reports. Threat actors behind the typosquatted Nethereum.All package have not only replaced the final "e" with the Cyrillic homoglyph "e" (U+0435) but also overinflated download counts to establish legitimacy, a report from the Socket Threat Research Team showed. Hidden within the package's EIP70221TransactionService.Shuffle function is the primary payload, which enables sensitive crypto wallet data theft, according to researchers, who also discovered Nethereum.All's uploader "nethereumgroup" to have also pushed the similar NethereumNet package earlier this month. Both packages have since been removed. Such a development comes more than a year after multiple malicious packages uploaded to the NuGet repository were reported by ReversingLabs to have replaced elements to convincingly masquerade as official packages.

