- Malicious typosquat packages have been uploaded to the NuGet package manager targeting Nethereum, a .NET library for Ethereum integration.
- The fake package Netherеum.All steals crypto wallet keys by sending sensitive data to a command-and-control server.
- The attacker used a Cyrillic “е” homoglyph in the package name to deceive developers into downloading the Malware.
- False download counts were manipulated to show over 11 million installs, falsely boosting the package’s credibility.
- NuGet does not restrict package names to ASCII-only, which allows homoglyph attacks unlike other repositories such as PyPI or npm.
Security researchers have revealed a new supply chain attack on the NuGet package manager involving malicious versions of Nethereum, a popular .NET library used for Ethereum blockchain integration. The attack uses a typosquatted package named Netherеum.All that steals users’ cryptocurrency wallet keys by extracting and transmitting sensitive information.
The fraudulent package was uploaded on October 16, 2025, by a user named “nethereumgroup” and removed four days later for violating NuGet policies. This package replaces the last letter “e” in “Nethereum” with a Cyrillic “е” (U+0435), a nearly identical character, tricking developers who fail to notice the difference.
Security company Socket identified the package’s core malicious function, which decodes an encoded URL for a command-and-control server at solananetworkinstance[.]info/api/gads. This function steals mnemonic phrases, private keys, and other wallet data, sending them to attackers. The Hackers also artificially inflated the package’s download count to 11.7 million to create the appearance of popularity, according to security researcher Kirill Boychenko, who explained that scripted downloads from cloud hosts can fake high usage numbers.
Boychenko stated, “A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts. Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches.”
This glowing display of download figures helps the malicious package appear in top search results and gain developers’ trust. Researchers also noted a previous fake package named “NethereumNet” uploaded earlier in October with similar traits but has since been removed.
Homoglyph attacks exploiting Cyrillic or other similar-looking characters have surfaced before on NuGet. Unlike other repositories like PyPI, npm, Maven Central, Go Module, and RubyGems, which restrict package names to ASCII characters, NuGet only forbids spaces and unsafe URL characters. This lack of strict naming rules has made such typosquatting attacks more feasible.
Users are strongly advised to verify package authenticity by checking publisher identity, scrutinizing unusual download spikes, and monitoring network traffic for suspicious data transmissions.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Nvidia (NVDA) Share Price Forecast for the Next Five Years
- How to Set Up a Simple Bitcoin Tip Jar for Your Site or Stream
- Novogratz Sees Bitcoin Rangebound at $120K-$125K Through 2025
- DraftKings Acquires Railbird to Launch Predictions App
- Pentera Resolve Bridges Security Validation with Automated Remediation
