"Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims' cryptocurrency wallet keys. The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket."
""A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts," security researcher Kirill Boychenko said. "Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches." "The result is a package that appears 'popular,' which boosts placement for searches sorted by relevance and lends a false sense of proof when developers glance at the numbers.""
A malicious NuGet package named Netherеum.All impersonated Nethereum by swapping the final letter 'e' for a Cyrillic homoglyph to trick developers. The package contained an XOR-decoding routine that revealed a command-and-control endpoint (solananetworkinstance[.]info/api/gads) and functionality to collect and exfiltrate mnemonic phrases, private keys, and keystore files. The package was uploaded by user " nethereumgroup" on October 16, 2025 and removed four days later for Terms of Use violations. Threat actors inflated download counts to 11.7 million by scripting installs, rotating IPs and user agents, and parallelizing requests to boost search placement. The main payload is located in EIP70221TransactionService.Shuffle.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]