5-Year Threat: Malicious NuGet Package Used Homoglyphs and Typosquatting to Steal Crypto Wallets

A malicious NuGet package masquerading as a popular .NET logging tool has been caught stealing cryptocurrency wallet data for over five years. The package, Tracer.Fody.NLog, successfully evaded detection by using advanced camouflage techniques, including homoglyphs and typosquatting, to trick developers into embedding it within their build pipelines.

Discovered by the Socket Threat Research Team, this supply chain attack targets the .NET ecosystem with surgical precision. Unlike noisy “spray-and-pray” attacks, this malware remained dormant and effective since its publication in 2020, accumulating roughly 2,000 downloads while silently siphoning sensitive credentials to a Russian command-and-control server.

The malware’s success relied on a sophisticated layered disguise designed to pass manual code reviews.

First, the attackers engaged in typosquatting by publishing the package under the user alias csnemess—a near-identical clone of the legitimate maintainer’s handle, csnemes (with one ‘s’). The package itself mimics the legitimate Tracer.Fody library, a widely trusted tool for injecting logging code into .NET applications.

Second, and more dangerously, the attackers used homoglyphs inside the compiled code. They replaced standard Latin characters in key identifiers (like Tracer.Fody and Guard) with visually identical Cyrillic characters. “Visually these identifiers render as Tracer.Fody and Guard, but their underlying Unicode code points are different,” making string-based security checks useless.

Once installed, the malware does not crash the system or display errors. Instead, it hooks into a generic helper function named Guard.NotNull<T>.

When a developer uses this helper to check an object that happens to have a WalletPassword property, the trap springs. The malware:

1. Scans the default directory for Stratis cryptocurrency wallets (%APPDATA%\Stratis Node\stratis\Stratis Main).
2. Extracts the wallet data and password via reflection.
3. Exfiltrates the stolen credentials to a hardcoded IP address: 176[.]113[.]82[.]163.

This entire process happens asynchronously and silently catches all exceptions, ensuring the host application continues to run normally while data is leaked.

This is not the threat actor’s first appearance. The investigation linked this infrastructure to a previous attack involving the package Cleary.AsyncExtensions, which impersonated the popular open-source maintainer Stephen Cleary. That package utilized the exact same C2 IP address and homoglyph obfuscation techniques to steal passphrases, confirming a sustained and coordinated campaign against .NET developers.

Despite being reported to the NuGet security team, the package remained live at the time of the report’s publication.

Related Posts:

• Malicious NuGet Campaign Exploits Homoglyphs and Code Injection to Fool Developers
• CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine
• NuGet’s Stealth Malware: The Hidden SeroXen RAT Threat
• Socket Uncovers Malicious NuGet Typosquat “Netherеum.All” Exfiltrating Wallet Keys via Solana-Themed C2
• NuGet Sabotage: Time-Delayed Logic in 9 Packages Risks Total App Destruction on Hardcoded Dates