Malicious NuGet Package Masquerades as Tracer.Fody to Steal Cryptocurrency Wallet Data
Cybersecurity researchers have identified a malicious NuGet package named Tracer.Fody.NLog that impersonates the legitimate .NET tracing library Tracer.Fody to deploy a cryptocurrency wallet stealer. Published on February 26, 2020, by a user named csnemess, this rogue package has been available for nearly six years and has been downloaded at least 2,000 times, with 19 downloads occurring in the last six weeks for version 3.2.4.
The package presents itself as a standard .NET tracing integration but functions as a cryptocurrency wallet stealer. It contains an embedded Tracer.Fody.dll that scans the default Stratis wallet directory, reads .wallet.json files, extracts wallet data, and exfiltrates it along with the wallet password to a threat actor-controlled server in Russia at IP address 176.113.82[.]163.
To evade detection, the threat actor employed several tactics:
– Typosquatting: The malicious package’s author name csnemess differs from the legitimate maintainer csnemes by a single letter.
– Cyrillic Lookalike Characters: The source code uses Cyrillic characters that resemble Latin letters, making the malicious code less noticeable.
– Concealed Malicious Code: The harmful routine is hidden within a generic helper function named Guard.NotNull, which is commonly used during regular program execution.
Once a project references the malicious package, it activates by scanning the default Stratis wallet directory on Windows (%APPDATA%\StratisNode\stratis\StratisMain), reading .wallet.json files and in-memory passwords, and exfiltrating them to the Russian-hosted IP address. All exceptions are silently caught, so even if the exfiltration fails, the host application continues to run without any visible error while successful calls quietly leak wallet data to the threat actor’s infrastructure.
Notably, the same IP address was previously used in December 2023 in connection with another NuGet impersonation attack. In that instance, a package named Cleary.AsyncExtensions was published under the alias stevencleary and included functionality to siphon wallet seed phrases. The package was designed to disguise itself as the AsyncEx NuGet library.
These findings highlight how malicious typosquats mirroring legitimate tools can stealthily operate without attracting attention across open-source repository ecosystems. Defenders should expect to see similar activity and follow-on implants that extend this pattern. Likely targets include other logging and tracing integrations, argument validation libraries, and utility packages that are common in .NET projects.
