In a recent cybersecurity incident, researchers have identified a sophisticated supply chain attack targeting the NuGet package manager. The attackers employed a malicious typosquat of Nethereum, a widely-used Ethereum .NET integration platform, to exfiltrate sensitive cryptocurrency wallet information from unsuspecting developers.
The deceptive package, named Netherеum.All, was discovered to contain code designed to decode a command-and-control (C2) endpoint. This functionality enabled the extraction of mnemonic phrases, private keys, and keystore data from compromised systems. Security firm Socket reported that the package was uploaded by a user with the alias nethereumgroup on October 16, 2025. It remained available on NuGet for four days before being removed for violating the platform’s Terms of Use.
Homoglyph Technique:
A notable aspect of this attack is the use of a homoglyph—a character that appears similar to another but is different in Unicode. In this case, the attackers replaced the last e in Nethereum with the Cyrillic letter е (U+0435). This subtle alteration is challenging to detect visually, leading developers to inadvertently download the malicious package.
Artificial Download Inflation:
To enhance the package’s credibility, the threat actors artificially inflated its download count, claiming over 11.7 million downloads. Such a high number for a newly uploaded library is highly suspicious. Security researcher Kirill Boychenko explained that attackers can publish multiple versions and script downloads using various methods to boost the appearance of popularity. This tactic manipulates search relevance and lends a false sense of legitimacy to the package.
Malicious Payload Details:
The core of the malicious activity resides in a function named EIP70221TransactionService.Shuffle. This function decodes an XOR-encoded string to extract the C2 server address (solananetworkinstance[.]info/api/gads) and subsequently transmits sensitive wallet data to the attacker.
Previous Similar Incidents:
Further investigation revealed that the same threat actor had previously uploaded another NuGet package titled NethereumNet with similar malicious functionalities earlier in the month. This package has also been removed by the NuGet security team.
Broader Context:
This incident is part of a growing trend where attackers exploit open-source package repositories to distribute malware. In July 2024, ReversingLabs documented several packages in the NuGet repository that impersonated legitimate counterparts by substituting certain elements with their equivalents to bypass casual inspection. Unlike other repositories like PyPI, npm, Maven Central, Go Module, and RubyGems, which enforce ASCII naming conventions, NuGet’s lack of such restrictions allows for these types of abuses.
Recommendations:
To mitigate risks associated with such attacks, developers are advised to:
– Verify Publisher Identity: Ensure that the package is published by a legitimate and recognized entity.
– Monitor Download Patterns: Be cautious of packages with sudden or unusually high download counts, as this may indicate artificial inflation.
– Inspect Package Names Carefully: Look out for subtle character substitutions or anomalies in package names.
– Monitor Network Traffic: Regularly check for unusual or unauthorized data transmissions from development environments.
By adopting these practices, developers can better protect themselves and their projects from supply chain attacks that exploit open-source repositories.
