BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Malicious NuGet Package Steals Cryptocurrency via Typosquatting Scam

  • A malicious NuGet package posing as a popular .NET tracing library has been active since 2020.
  • The package, “Tracer.Fody.NLog,” steals cryptocurrency wallet data by scanning wallet files and passwords.
  • The attacker uses tactics like name spoofing and hiding code in common functions to avoid detection.
  • The stolen data is sent to a server located in Russia at IP address 176.113.82.163.
  • Similar attacks using the same server have targeted other NuGet libraries with cryptocurrency theft features.

A new cyber threat has been identified involving a malicious NuGet package called “Tracer.Fody.NLog” that impersonates a well-known .NET tracing library. Published on February 26, 2020, by a user named “csnemess,” this deceptive package mimics the legitimate Tracer.Fody library maintained by csnemes. It remains available on the repository and has been downloaded over 2,000 times, including 19 downloads in recent weeks.

- Advertisement -

The package operates as a cryptocurrency wallet stealer by scanning the default Stratis wallet directory on Windows systems (“%APPDATA%\\StratisNode\\stratis\\StratisMain”). It reads wallet files with the extension *.wallet.json and extracts wallet passwords held in memory. The collected information is then surreptitiously sent to a command-and-control server hosted in Russia at IP address 176.113.82.163, according to explanations by Socket security researcher Kirill Boychenko, as noted here.

To avoid easy detection, the attacker employed several methods. These include using a username differing by only one letter (“csnemes” vs. “csnemess”), embedding Cyrillic lookalike characters in the source code, and hiding the malicious data exfiltration routine inside a common helper function named “Guard.NotNull,” which runs during normal program use. Any errors encountered while exfiltrating data are silently handled to prevent disrupting the host application.

This threat is not isolated. The same Russian IP was linked to a previous NuGet package impersonation attack in December 2023, involving “Cleary.AsyncExtensions,” which also targeted cryptocurrency wallet seed phrases under the alias “stevencleary,” as detailed here. This package posed as the legitimate AsyncEx NuGet library.

Such incidents highlight security risks posed by typosquatting attacks—in which malicious actors imitate legitimate software packages to exploit developers and users. Ongoing vigilance is essential, as attackers may target common .NET tools like logging, tracing, argument validation, and utility packages in future campaigns.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

TrojPix Air-Gap Attack Uses Monitor Cables

Researchers at Shandong University have demonstrated a new covert data exfiltration technique called TrojPix.The...

Bitcoin Reclaims $63k as Crypto Market Sees July Reversal

Bitcoin (BTC) reclaimed $63,000 in early July 2026, signaling a market reversal after a...

2026 ASEAN SHOP Opens in Kuala Lumpur to Drive Southeast Asia’s Smart Retail Growth

KUALA LUMPUR, Malaysia. ASEAN SHOP will host its 2026 edition at the MITEC Pavilion...

Bitcoin Data Strong Amid Selling and Yield Fears

Despite a zero ByteTrend score, the Bitcoin network's weekly on-chain transaction value is $13.5...

Ohio County Paid $1M After Data Heist

Union County, Ohio, paid roughly $1 million in Bitcoin to the cyber group Kairos...

Must Read

Top 9 VPNs That Accept Bitcoin And Crypto

CyberGhost | FastVPN | TorGuard | Private Internet Access | ExpressVPN | NordVPN | Private VPN | SurfShark | AirVPN | Why Buy VPN...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading