ReversingLabs uncovered a NuGet supply-chain campaign (July–October 2025) involving 14 malicious packages that impersonated legitimate crypto libraries to steal wallet secrets, OAuth credentials, or redirect funds. The packages used homoglyphs, version bumping, inflated download counts and hidden functions (e.g., Shuffle, MapAddress) to exfiltrate data to hxxps://solananetworkinstance[.]info/api/gads or overwrite transaction destinations. #Netherеum.All #NuGet
Keypoints
- ReversingLabs identified 14 malicious NuGet packages published between July and October 2025 that impersonated legitimate crypto-related libraries and tools.
- The campaign split into three payload groups: a nine-package wallet stealer that exfiltrates keys, a three-package fund-stealer that overwrites transaction destinations, and one package stealing Google Ads OAuth credentials.
- Malicious code was hidden inside otherwise legitimate codebases and activated only at critical execution points to avoid detection (examples: Shuffle and MapAddress functions).
- Threat actors used social-engineering techniques—homoglyph package names, rapid version bumping, and artificially inflated download counts—to appear trustworthy.
- Exfiltration used an XOR-decrypted URL built at runtime pointing to hxxps://solananetworkinstance[.]info/api/gads, which mimics a legitimate vendor name for domain confusion.
- The campaign risked downstream propagation: developers embedding these packages could have distributed the backdoors to projects, organizations and users relying on those dependencies.
- ReversingLabs recommends careful author verification, code review for obfuscation/external connections, and use of tools like Spectra Assure Community to surface suspicious package behaviors.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Compromised OSS packages were published to NuGet to distribute malicious code: [‘a single compromised dependency can quickly propagate through the software supply chain’]
- [T1036 ] Masquerading – Package names used homoglyphs to impersonate legitimate packages and appear authentic: [‘The package name uses a character that visually resembles a common letter or symbol. However,to a computer the character has an entirely different meaning.’]
- [T1027 ] Obfuscated Files or Information – Attackers obfuscated the exfiltration endpoint by decrypting a char array with an XOR cipher at runtime to avoid detection: [‘it is created on the fly by decrypting a char array using a XOR cipher.’]
- [T1567.002 ] Exfiltration Over Web Service – Sensitive wallet data and OAuth secrets were sent to an external web endpoint: [‘the exfiltration URL is “hxxps://solananetworkinstance[.]info/api/gads,”’]
- [T1565 ] Data Manipulation – Transaction destination addresses were overwritten in SendMoneyAsync so funds (transactions > $100) were redirected to attacker-controlled wallets: [‘They overwrite the destination wallet address with one of their own — essentially funneling any money from transactions higher than $100 to themselves.’]
Indicators of Compromise
- [NuGet package names ] Malicious packages published to NuGet – Netherеum.All, NBitcoin.Unified, and 12 other malicious packages detected in the campaign
- [Domain / URL ] Exfiltration endpoint used by the Wallet stealer – hxxps://solananetworkinstance[.]info/api/gads
- [Author / Publisher names ] Package publishers associated with malicious packages – DamienMcdougal, jackfreemancodes
- [Function names / code artifacts ] Embedded malicious routines used for exfiltration and redirection – Shuffle, MapAddress (also SendMoneyAsync as an abused routine)
Read more: https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens