Malicious NuGet Packages Steal Browser Credentials, SSH Keys, Crypto Wallets
Key Takeaways Five malicious NuGet packages have been discovered, masquerading as legitimate Chinese software libraries. These packages stealthily exfiltrate sensitive data, including browser...
Key Takeaways
- Five malicious NuGet packages have been discovered, masquerading as legitimate Chinese software libraries.
- These packages stealthily exfiltrate sensitive data, including browser credentials, SSH keys, and cryptocurrency wallet information, from developer machines and CI/CD systems.
- The campaign, active since at least September 2025, has accumulated nearly 65,000 downloads through a sophisticated version rotation technique designed to evade detection.
- No immediate patch is available for the packages themselves, but removal and system compromise remediation are critical.
A sophisticated supply chain attack has infiltrated the NuGet ecosystem, targeting .NET developers with five cunningly crafted malicious packages. These rogue libraries, designed to mimic popular Chinese enterprise software, are engineered to steal a wide array of sensitive data, including browser credentials, SSH private keys, and cryptocurrency wallet details.
Table Of Content
The threat actor behind this campaign adopted an insidious strategy: building the malicious code atop genuine, widely recognized Chinese software libraries. This approach allowed the packages to appear legitimate, particularly to developers accustomed to tools like AntdUI, a prevalent WinForms component library, thereby bypassing casual scrutiny.
Discovery and Scope of Compromise
Researchers at Socket.dev identified all five nefarious packages, which were published under a single NuGet account named “bmrxntfj.” Collectively, these packages amassed approximately 64,784 downloads across their various versions. This significant download count suggests that tens of thousands of developer workstations and CI/CD build environments have been potentially compromised. The campaign’s origins trace back to at least September 2025, with all five packages remaining active at the time of the discovery.
A key factor in the campaign’s longevity and stealth was the attacker’s use of a version rotation technique. Out of 224 total versions published, 219 were deliberately concealed from public search results. By consistently presenting only one visible version and regularly swapping in new ones, the threat actor effectively circumvented hash-based detection methods, compelling security teams to perpetually update their blocklists.
Any developer machine or build server that performed a package restore referencing these five identifiers could have been exposed since late 2025. This extended operational period and high download volume position the incident as one of the more subtly destructive supply chain threats identified this year.
Malicious NuGet Packages: How the Stealer Operates
The malware’s payload is activated via a .NET module initializer, a mechanism that the runtime automatically invokes when a corresponding assembly loads. This means no direct user interaction is required beyond a standard package restore operation. Once triggered, the malware employs JIT hooking to replace the compiler’s dispatch pointer, thereby seizing control over every subsequent method compiled.
Following this initial compromise, a second-stage infostealer, named we4ftg.exe, is executed. This infostealer targets saved credentials across 12 Chromium-based browsers, including Chrome, Edge, Brave, Firefox, and Opera. It meticulously collects passwords, autofill data, session cookies, and payment card information. The payload demonstrates recent maintenance, as evidenced by its ability to handle both legacy and AppBound Chrome encryption formats.
Cryptocurrency assets are a prime target for the infostealer. It specifically goes after browser extension wallets such as MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet, as well as desktop applications like Exodus, Electrum, Atomic, Guarda, Ledger, and Binance. Beyond crypto, the malware also harvests SSH private keys, Outlook profiles, Steam credentials, and various files from the Documents, Desktop, and Downloads folders.
All exfiltrated data is temporarily stored in a folder path designed to mimic a legitimate Microsoft OneDrive directory. However, a specific file name used in this path is not created by genuine OneDrive operations, serving as a clear indicator of compromise. The collected data is then transmitted to a command-and-control (C2) server, which was registered 33 days prior to the initial NuGet publishing spree.
C2 Infrastructure and Attribution
The primary C2 domain for this operation resolves to a server located in Amsterdam, hosted by a virtual hosting provider. Its nameservers are managed by Njalla, a privacy registrar frequently utilized by threat actors to hinder takedown attempts. The domain itself was crafted to resemble a legitimate DNS provider, allowing it to blend seamlessly into routine firewall logs.
A secondary domain, linked to an Alibaba Cloud server in Shanghai, appears to function as the attacker’s development environment. This domain did not produce any hits in public malware databases and was not observed receiving stolen data.
Attribution efforts were bolstered by a unique RSA-1048 key embedded within every .NET Reactor-protected package. This identical key was found in four other malicious files on VirusTotal, including memory dumps that predated the NuGet campaign by several weeks. Labels associated with these files point to known malware families such as Lumma, Quantum, AgentRacoon, and ArrowRAT, suggesting potential links or shared tooling.
What You Should Do
- Immediately check project and lock files: Developers must scan their project and lock files for any references to the following NuGet packages: IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI.
- Assume compromise: Any machine that restored these packages should be treated as compromised.
- Rotate credentials and keys: All credentials, API keys, SSH keys, and cryptocurrency wallet seeds on affected systems must be immediately rotated.
- Monitor C2 domain connections: Security teams should configure alerts for any connections to the known C2 domain dns-providersa2[.]com.
- Watch for suspicious file creation: Implement monitoring for unexpected file creation at the malware’s staging path: C:ProgramDataMicrosoft OneDrivekeys.dat.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.