- A malicious NuGet package posing as a popular .NET tracing library has been active since 2020.
- The package, “Tracer.Fody.NLog,” steals cryptocurrency wallet data by scanning wallet files and passwords.
- The attacker uses tactics like name spoofing and hiding code in common functions to avoid detection.
- The stolen data is sent to a server located in Russia at IP address 176.113.82.163.
- Similar attacks using the same server have targeted other NuGet libraries with cryptocurrency theft features.
A new cyber threat has been identified involving a malicious NuGet package called “Tracer.Fody.NLog” that impersonates a well-known .NET tracing library. Published on February 26, 2020, by a user named “csnemess,” this deceptive package mimics the legitimate Tracer.Fody library maintained by csnemes. It remains available on the repository and has been downloaded over 2,000 times, including 19 downloads in recent weeks.
The package operates as a cryptocurrency wallet stealer by scanning the default Stratis wallet directory on Windows systems (“%APPDATA%\\StratisNode\\stratis\\StratisMain”). It reads wallet files with the extension *.wallet.json and extracts wallet passwords held in memory. The collected information is then surreptitiously sent to a command-and-control server hosted in Russia at IP address 176.113.82.163, according to explanations by Socket security researcher Kirill Boychenko, as noted here.
To avoid easy detection, the attacker employed several methods. These include using a username differing by only one letter (“csnemes” vs. “csnemess”), embedding Cyrillic lookalike characters in the source code, and hiding the malicious data exfiltration routine inside a common helper function named “Guard.NotNull,” which runs during normal program use. Any errors encountered while exfiltrating data are silently handled to prevent disrupting the host application.
This threat is not isolated. The same Russian IP was linked to a previous NuGet package impersonation attack in December 2023, involving “Cleary.AsyncExtensions,” which also targeted cryptocurrency wallet seed phrases under the alias “stevencleary,” as detailed here. This package posed as the legitimate AsyncEx NuGet library.
Such incidents highlight security risks posed by typosquatting attacks—in which malicious actors imitate legitimate software packages to exploit developers and users. Ongoing vigilance is essential, as attackers may target common .NET tools like logging, tracing, argument validation, and utility packages in future campaigns.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
