Cybersecurity researchers have discovered a new supply chain attack targeting the popular Ethereum .NET integration platform Nethereum’s NuGet package manager with malicious typosquats to steal victims’ cryptocurrency wallet keys.
According to security firm Socket, the package ‘Netherеum.All’ was found to contain functionality that decodes command and control (C2) endpoints and leaks mnemonic phrases, private keys, and keystore data.
This library was uploaded on October 16, 2025 by a user named ‘nethereumgroup’. Four days later, it was removed from NuGet for violating the terms of service.
What’s notable about the NuGet package is that it replaces the last occurrence of the letter “e” with the Cyrillic isomorphic letter “e” (U+0435) to trick unsuspecting developers into downloading it.
In a further attempt to increase the credibility of the package, the attackers artificially inflated the download numbers, claiming that the package had been downloaded 11.7 million times. This is a big red flag considering it’s unlikely that a brand new library would record such high numbers in such a short period of time.
“An attacker could publish many versions, script the download of each .nupkg via a v3 flat container or loop nuget.exe, and restore dotnet using the no-cache option from the cloud host,” said security researcher Kirill Boychenko. “Rotating IPs and user agents and parallelizing requests improves volume while avoiding client caching.”
“The result is packages that look ‘popular’ and rank well in searches sorted by relevance, giving developers false evidence when they glance at the numbers.”
The main payload in the NuGet package is inside a function named EIP70221TransactionService.Shuffle that parses the XOR encoded string to extract the C2 server (solananetworkinstance).[.]info/api/gads) and exfiltrate the wallet’s sensitive data to the attacker.
The threat actor was found to have uploaded another NuGet package called ‘NethereumNet’ with the same malicious functionality earlier in the month. This has already been removed by the NuGet security team.
This is not the first isomorphic typosquat discovered in the NuGet repository. In July 2024, ReversingLabs documented details of several packages that masqueraded as legitimate packages by replacing certain elements with equivalent elements to evade casual inspection.
Unlike other open source package repositories such as PyPI, npm, Maven Central, Go Module, and RubyGems that impose restrictions on naming schemes to ASCII, NuGet has no such restrictions other than prohibiting spaces and unsafe URL characters, opening the door to abuse.
To mitigate such risks, users should carefully examine libraries before downloading them, including verifying the identity of the publisher and sudden spikes in downloads, and monitoring for unusual network traffic.
Source link
