BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

NuGet Typosquat Attack Steals Crypto Wallet Keys via Nethereum

NuGet Typosquatting Attack Targets Nethereum Library to Steal Crypto Wallet Keys Using Cyrillic Homoglyphs

  • Malicious typosquat packages have been uploaded to the NuGet package manager targeting Nethereum, a .NET library for Ethereum integration.
  • The fake package Netherеum.All steals crypto wallet keys by sending sensitive data to a command-and-control server.
  • The attacker used a Cyrillic “е” homoglyph in the package name to deceive developers into downloading the Malware.
  • False download counts were manipulated to show over 11 million installs, falsely boosting the package’s credibility.
  • NuGet does not restrict package names to ASCII-only, which allows homoglyph attacks unlike other repositories such as PyPI or npm.

Security researchers have revealed a new supply chain attack on the NuGet package manager involving malicious versions of Nethereum, a popular .NET library used for Ethereum blockchain integration. The attack uses a typosquatted package named Netherеum.All that steals users’ cryptocurrency wallet keys by extracting and transmitting sensitive information.

- Advertisement -

The fraudulent package was uploaded on October 16, 2025, by a user named “nethereumgroup” and removed four days later for violating NuGet policies. This package replaces the last letter “e” in “Nethereum” with a Cyrillic “е” (U+0435), a nearly identical character, tricking developers who fail to notice the difference.

Security company Socket identified the package’s core malicious function, which decodes an encoded URL for a command-and-control server at solananetworkinstance[.]info/api/gads. This function steals mnemonic phrases, private keys, and other wallet data, sending them to attackers. The Hackers also artificially inflated the package’s download count to 11.7 million to create the appearance of popularity, according to security researcher Kirill Boychenko, who explained that scripted downloads from cloud hosts can fake high usage numbers.

Boychenko stated, “A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts. Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches.”

This glowing display of download figures helps the malicious package appear in top search results and gain developers’ trust. Researchers also noted a previous fake package named “NethereumNet” uploaded earlier in October with similar traits but has since been removed.

- Advertisement -

Homoglyph attacks exploiting Cyrillic or other similar-looking characters have surfaced before on NuGet. Unlike other repositories like PyPI, npm, Maven Central, Go Module, and RubyGems, which restrict package names to ASCII characters, NuGet only forbids spaces and unsafe URL characters. This lack of strict naming rules has made such typosquatting attacks more feasible.

Users are strongly advised to verify package authenticity by checking publisher identity, scrutinizing unusual download spikes, and monitoring network traffic for suspicious data transmissions.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Russia, India push de-dollarization to hit $100 billion trade target

Russia and India are accelerating a bilateral trade deal to reach a $100 billion...

AI freelancers could drive $262B in stablecoin payments by 2033

Swyftx projects that $262 billion of the AI-native gig economy's payment volume could be...

LINE NEXT launches global stablecoin platform Unifi

LINE NEXT has launched Unifi, a non-custodial stablecoin platform, now available globally as it...

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Must Read

7 Best Cryptocurrency Lending Platforms in 2025 (Ranked & Reviewed)

QUICK LINKSOur MethodologyHow to Choose the Best Crypto Lending Platform: Key Factors to ConsiderIn-Depth Reviews of the 7 Best Crypto Lending Platforms1. Nexo -...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading