Highly Evasive NuGet Supply Chain Attack Hijacks 65,000 .NET Build Servers

A highly sophisticated software supply chain attack has compromised tens of thousands of developer workstations and CI/CD build servers through the NuGet package manager. Uncovered by Socket’s Threat Research Team, this campaign utilizes five malicious packages specifically designed to impersonate internal Chinese enterprise libraries and UI components.

Rather than relying on widespread typosquatting of public packages, the threat actor, operating under the account bmrxntfj, targeted environments by wrapping legitimate, MIT-licensed WinForms component libraries like AntdUI. To date, these packages—which include IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32—have amassed approximately 65,000 downloads.

The payload operates entirely through the .NET module initializer, meaning it is invoked by the Common Language Runtime (CLR) immediately before any application code runs.

As the researchers noted in their findings, “Any build server, CI runner, or developer workstation that runs nuget restore and then loads the assembly is in scope”.

Once loaded, the malicious code utilizes a .NET Reactor bootstrap to allocate a read-write-execute memory region. It then patches the CLR JIT compiler (clrjit.dll!getJit), effectively taking control of the entire Just-In-Time compilation pipeline to decrypt and execute its payload stealthily. The attack is also cross-platform, featuring execution paths for Linux and macOS that abuse mmap and /proc/self/mem to achieve the same result.

The operators demonstrated extreme operational discipline to evade static analysis and security scanners. While maintaining 224 total versions across the five package IDs, they purposefully kept 219 versions hidden by utilizing the listed: false tag.

The report emphasizes the ingenuity of this tactic: “The operator keeps only one version listed per package at a time, creating a false appearance of a low-volume, possibly legitimate library while silently accumulating install counts across a long unlisted version history”.

This continuous version rotation effectively nullifies file-hash-based indicators of compromise (IOCs), as blocking an older version’s hash will not catch newly rotated payloads.

Once fully executed, the heavily obfuscated infostealer targets an extensive list of sensitive data. This includes credential harvesting across 12 Chromium-family browsers—successfully bypassing Chrome’s recent v20 AppBound encryption—alongside Mozilla and Firefox.

Furthermore, the stealer hunts for 8 desktop cryptocurrency wallets (such as Exodus and Electrum), 5 browser wallet extensions (including MetaMask and Phantom), SSH private keys, and Steam session data. All exfiltrated data is deceptively staged within the host’s directory at C:\ProgramData\Microsoft OneDrive\keys.dat to blend in with legitimate filesystem operations. The data is subsequently POSTed to a newly registered command-and-control server, dns-providersa2[.]com.

Researchers were able to trace the threat actor’s steps through a unique cryptographic flaw. The report notes that “Every copy of .NET Reactor is licensed with a unique RSA-1024 key pair” used for anti-tamper verification. By extracting this specific modulus from the malicious packages, investigators successfully linked the NuGet payloads to other severe malware dumps (such as Lumma and Quantum) circulating in the wild.

Security teams must immediately audit their .NET dependencies for the IR.* packages. In the modern threat landscape, the perimeter is no longer just the network—it is the build pipeline itself.