A sophisticated supply chain attack has recently emerged, targeting cryptocurrency developers through the NuGet package ecosystem. Cybersecurity researchers have identified malicious packages masquerading as Nethereum, a widely trusted .NET library for Ethereum blockchain interactions, which has been downloaded tens of millions of times.
Deceptive Tactics and Package Identification
The counterfeit packages, named Netherеum.All and NethereumNet, employ advanced obfuscation techniques to exfiltrate sensitive wallet credentials, including private keys, mnemonics, keystore JSON files, and signed transaction data. The attackers utilized a homoglyph typosquatting technique by replacing the Latin letter e with a visually identical Cyrillic character (U+0435) in the package name Netherеum.All. This subtle Unicode substitution makes the fraudulent package nearly indistinguishable from the legitimate Nethereum library during casual inspection.
Timeline and Discovery
The malicious package was first published on October 16, 2025, and remained active until NuGet removed it on October 20, 2025, following security reports. Analysts from Socket.dev identified the threat during routine scanning operations, uncovering a coordinated campaign by a single threat actor operating under two NuGet publisher aliases: nethereumgroup and NethereumCsharp.
Artificial Download Inflation and Deceptive Legitimacy
Both malicious packages incorporated identical exfiltration mechanisms and utilized artificial download inflation tactics. Notably, Netherеum.All displayed an implausible 11.6 million downloads within days of publication. This manufactured popularity metric created a false sense of legitimacy, potentially deceiving developers during package selection.
Functionality and Activation of Malicious Code
The packages appeared functional, referencing genuine Nethereum dependencies such as Nethereum.Hex, Nethereum.Signer, and Nethereum.Util, ensuring normal compilation and expected Ethereum operations. However, the malicious code remained dormant until specific wallet-related functions were invoked, activating the concealed exfiltration mechanism.
Technical Mechanism and Payload Analysis
The malware’s core functionality resides within EIP70221TransactionService.Shuffle, which implements a position-based XOR decoding routine to reveal the command-and-control endpoint at runtime. The obfuscated seed string undergoes XOR operations with a 44-byte mask, decoding to https://solananetworkinstance[.]info/api/gads. When wallet operations are executed, the malicious method captures sensitive data and transmits it via HTTPS POST request with a form field named message, effectively stealing credentials while maintaining the appearance of legitimate blockchain interactions.
Implications and Broader Context
This attack demonstrates sophisticated supply chain compromise tactics, combining Unicode homoglyphs, download manipulation, and runtime obfuscation to bypass security controls and target cryptocurrency assets. It underscores the growing threat landscape where attackers exploit trusted ecosystems to distribute malware, emphasizing the need for heightened vigilance among developers and organizations.
Recommendations for Developers
To mitigate such risks, developers are advised to:
– Verify Package Authenticity: Carefully inspect package names for subtle alterations, such as homoglyph substitutions, and confirm the legitimacy of the publisher.
– Monitor Download Metrics: Be cautious of packages with unusually high download counts in a short period, as this may indicate artificial inflation.
– Review Code and Dependencies: Examine the code and its dependencies for any suspicious behavior or references to external resources.
– Implement Security Tools: Utilize security tools that can detect and alert on anomalous activities within the development environment.
– Stay Informed: Keep abreast of the latest security advisories and reports related to the development tools and libraries in use.
Conclusion
The discovery of these malicious NuGet packages highlights the evolving tactics of cyber attackers targeting the software supply chain. By impersonating widely used libraries and employing sophisticated obfuscation techniques, they aim to infiltrate development environments and exfiltrate sensitive information. Developers must exercise due diligence in verifying the authenticity of packages and remain vigilant against such deceptive practices to safeguard their projects and users.
