Poisoned Dependencies: How Nethereum.All and 10M+ Fake Downloads Looted .NET Crypto Developers

A sophisticated supply chain campaign targeting .NET developers working with cryptocurrency has been uncovered, revealing a network of malicious packages designed to steal funds and sensitive secrets. A new report from ReversingLabs (RL) details the discovery of “Nethereum.All”, a malicious NuGet package that impersonates the legitimate Ethereum integration library to trick unsuspecting engineers.

The campaign, which has been active since July 2025, goes beyond simple typosquatting, employing “inflated download counts” and copied code to masquerade as trusted software.

The investigation began on October 17, when researchers flagged Nethereum.All—a package mimicking Nethereum, the standard .NET integration library for blockchain. The attackers didn’t just copy the name; they copied the functionality.

“All of the packages impersonate legitimate crypto-related tools and copy their functionality, but are enriched with malicious functionality intended to steal crypto funds from victims”.

By cloning the legitimate code, the malware ensures the application continues to function as expected, delaying detection. However, hidden within the library are routines designed to empty the victim’s digital pockets.

“Some of the packages are designed to redirect transaction funds to attacker-controlled wallets, while others are designed to exfiltrate secrets that can later be used to access victim wallets and extract funds from them”.

One of the most dangerous aspects of this campaign is the social engineering involved. Developers often rely on download counts as a metric of trust. The threat actors appear to have artificially manipulated these statistics to make their malicious libraries appear battle-tested.

Screenshots from the report show Nethereum.All displaying 10.4 million downloads, creating a dangerous illusion of legitimacy.

“Threat actors also used several techniques to make the malicious packages look trustworthy, tricking unsuspecting users into a false sense of security”.

While Nethereum.All was the catalyst for the investigation, it is part of a much larger operation. RL researchers have identified a total of 14 malicious packages published over several months by various author accounts.

The campaign targets various blockchain ecosystems. Beyond Ethereum, the attackers targeted Bitcoin developers with a package named NBitcoin.Unified, and Solana developers with SolnetAll—a package that was removed from NuGet before it could be fully analyzed, though researchers believe it performed similar thefts.

The technical analysis reveals that the malicious code was often buried deep within the copied legitimate code. In one instance, the malware was caught exfiltrating Google Ads credentials (ClientId, ClientSecret, and DeveloperToken) via a SendLog function, aiming to steal not just crypto, but API access as well.

The report warns that this level of obfuscation makes the threat particularly potent. “Malicious functionality is well hidden inside the code that attackers copied from legitimate packages, making analysis and detection of the malware more difficult”.

Developers using NuGet for crypto-related projects are urged to audit their dependencies immediately, paying close attention to package authors and verifying that they are using the official versions of libraries like Nethereum and NBitcoin.

Related Posts:

• Malicious NuGet Campaign Exploits Homoglyphs and Code Injection to Fool Developers
• 5-Year Threat: Malicious NuGet Package Used Homoglyphs and Typosquatting to Steal Crypto Wallets
• NuGet’s Stealth Malware: The Hidden SeroXen RAT Threat
• NuGet Sabotage: Time-Delayed Logic in 9 Packages Risks Total App Destruction on Hardcoded Dates