Cybersecurity researchers uncovered a malicious NuGet package that impersonates a legitimate .NET tracing library to steal cryptocurrency wallet data. The stealthy package has been active for nearly six years, exfiltrating sensitive wallet information to a Russian infrastructure. #NuGetTyposquatting #CryptocurrencyTheft
Keypoints
- A malicious NuGet package named βTracer.Fody.NLogβ mimics a popular .NET tracing library to deceive users.
- The package has been available on the repository since February 2020 and has over 2,000 downloads.
- The malware scans wallet directories, reads *.wallet.json files, and exfiltrates data including passwords to a Russian IP address.
- It uses sophisticated tactics such as typosquatting, Cyrillic characters, and hiding malicious code in legitimate functions.
- Similar attacks have been observed previously, indicating a pattern targeting .NET ecosystem tools and libraries.
Read More: https://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.html