Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Gemini CLI Vulnerability Lets Attackers Build Botnets in Minutes
July 15, 2026
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Home/Threats/Malicious NuGet Packages Steal Browser Credentials, SSH Keys, Crypto Wallets
Threats

Malicious NuGet Packages Steal Browser Credentials, SSH Keys, Crypto Wallets

Key Takeaways Five malicious NuGet packages have been discovered, masquerading as legitimate Chinese software libraries. These packages stealthily exfiltrate sensitive data, including browser...

Sarah simpson
Sarah simpson
May 7, 2026 4 Min Read
67 0

Key Takeaways

  • Five malicious NuGet packages have been discovered, masquerading as legitimate Chinese software libraries.
  • These packages stealthily exfiltrate sensitive data, including browser credentials, SSH keys, and cryptocurrency wallet information, from developer machines and CI/CD systems.
  • The campaign, active since at least September 2025, has accumulated nearly 65,000 downloads through a sophisticated version rotation technique designed to evade detection.
  • No immediate patch is available for the packages themselves, but removal and system compromise remediation are critical.

A sophisticated supply chain attack has infiltrated the NuGet ecosystem, targeting .NET developers with five cunningly crafted malicious packages. These rogue libraries, designed to mimic popular Chinese enterprise software, are engineered to steal a wide array of sensitive data, including browser credentials, SSH private keys, and cryptocurrency wallet details.

Table Of Content

  • Key Takeaways
  • Discovery and Scope of Compromise
  • Malicious NuGet Packages: How the Stealer Operates
  • C2 Infrastructure and Attribution
  • What You Should Do

The threat actor behind this campaign adopted an insidious strategy: building the malicious code atop genuine, widely recognized Chinese software libraries. This approach allowed the packages to appear legitimate, particularly to developers accustomed to tools like AntdUI, a prevalent WinForms component library, thereby bypassing casual scrutiny.

Discovery and Scope of Compromise

Researchers at Socket.dev identified all five nefarious packages, which were published under a single NuGet account named “bmrxntfj.” Collectively, these packages amassed approximately 64,784 downloads across their various versions. This significant download count suggests that tens of thousands of developer workstations and CI/CD build environments have been potentially compromised. The campaign’s origins trace back to at least September 2025, with all five packages remaining active at the time of the discovery.

A key factor in the campaign’s longevity and stealth was the attacker’s use of a version rotation technique. Out of 224 total versions published, 219 were deliberately concealed from public search results. By consistently presenting only one visible version and regularly swapping in new ones, the threat actor effectively circumvented hash-based detection methods, compelling security teams to perpetually update their blocklists.

Any developer machine or build server that performed a package restore referencing these five identifiers could have been exposed since late 2025. This extended operational period and high download volume position the incident as one of the more subtly destructive supply chain threats identified this year.

Malicious NuGet Packages: How the Stealer Operates

The malware’s payload is activated via a .NET module initializer, a mechanism that the runtime automatically invokes when a corresponding assembly loads. This means no direct user interaction is required beyond a standard package restore operation. Once triggered, the malware employs JIT hooking to replace the compiler’s dispatch pointer, thereby seizing control over every subsequent method compiled.

Following this initial compromise, a second-stage infostealer, named we4ftg.exe, is executed. This infostealer targets saved credentials across 12 Chromium-based browsers, including Chrome, Edge, Brave, Firefox, and Opera. It meticulously collects passwords, autofill data, session cookies, and payment card information. The payload demonstrates recent maintenance, as evidenced by its ability to handle both legacy and AppBound Chrome encryption formats.

Cryptocurrency assets are a prime target for the infostealer. It specifically goes after browser extension wallets such as MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet, as well as desktop applications like Exodus, Electrum, Atomic, Guarda, Ledger, and Binance. Beyond crypto, the malware also harvests SSH private keys, Outlook profiles, Steam credentials, and various files from the Documents, Desktop, and Downloads folders.

All exfiltrated data is temporarily stored in a folder path designed to mimic a legitimate Microsoft OneDrive directory. However, a specific file name used in this path is not created by genuine OneDrive operations, serving as a clear indicator of compromise. The collected data is then transmitted to a command-and-control (C2) server, which was registered 33 days prior to the initial NuGet publishing spree.

C2 Infrastructure and Attribution

The primary C2 domain for this operation resolves to a server located in Amsterdam, hosted by a virtual hosting provider. Its nameservers are managed by Njalla, a privacy registrar frequently utilized by threat actors to hinder takedown attempts. The domain itself was crafted to resemble a legitimate DNS provider, allowing it to blend seamlessly into routine firewall logs.

A secondary domain, linked to an Alibaba Cloud server in Shanghai, appears to function as the attacker’s development environment. This domain did not produce any hits in public malware databases and was not observed receiving stolen data.

Attribution efforts were bolstered by a unique RSA-1048 key embedded within every .NET Reactor-protected package. This identical key was found in four other malicious files on VirusTotal, including memory dumps that predated the NuGet campaign by several weeks. Labels associated with these files point to known malware families such as Lumma, Quantum, AgentRacoon, and ArrowRAT, suggesting potential links or shared tooling.

What You Should Do

  • Immediately check project and lock files: Developers must scan their project and lock files for any references to the following NuGet packages: IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI.
  • Assume compromise: Any machine that restored these packages should be treated as compromised.
  • Rotate credentials and keys: All credentials, API keys, SSH keys, and cryptocurrency wallet seeds on affected systems must be immediately rotated.
  • Monitor C2 domain connections: Security teams should configure alerts for any connections to the known C2 domain dns-providersa2[.]com.
  • Watch for suspicious file creation: Implement monitoring for unexpected file creation at the malware’s staging path: C:ProgramDataMicrosoft OneDrivekeys.dat.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical vm2 Node.js Library Flaws Allow Arbitrary Code Execution

Next Post

Fake Call History Apps on Google Play Steal Payments From 7.3M+ Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Windows RDP Bugs Expose Sensitive Data, Patch Now
July 15, 2026
LabubaRAT Malware Impersonates NVIDIA to Hijack Windows Systems
July 15, 2026
Chrome 150 Update Patches 15 Flaws, Two Critical Code Execution Vulnerabilities
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us