Malicious NuGet Package Uses .NET Logging Tool to Steal Cryptocurrency Wallet Data

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

The cybersecurity landscape has once again been rattled by a subtle yet dangerous supply chain attack. A malicious NuGet package named Tracer.Fody.NLog was discovered masquerading as a legitimate .NET tracing library.

Published in 2020, this package successfully deceived developers for years, accumulating roughly 2,000 downloads by impersonating the popular Tracer.Fody tool and its maintainer.

The attack vector is classic typosquatting combined with social engineering. The malicious package was published under the user alias csnemess, a nearly identical variation of the legitimate maintainer csnemes.

By mirroring the original package’s metadata and description, the threat actors ensured that casual observers would see nothing amiss.

This disguise allowed the malware to embed itself deeply into development environments, targeting private tools and CI pipelines.

Socket.dev analysts identified this sophisticated threat, noting that it specifically targets cryptocurrency assets.

Hidden within the package’s code is a specialized routine designed to steal sensitive data from Stratis cryptocurrency wallets.

The malware lies dormant until specific conditions are met, allowing it to operate silently in the background without raising alarms or generating logs.

The impact of this campaign is significant due to the package’s long dwell time. For over five years, the malicious code potentially sat within various projects, waiting to harvest credentials.

The attackers used a command-and-control server located in Russia to collect the stolen wallet data, highlighting the calculated and persistent nature of this financial theft operation.

Inside the Wallet Stealing Code

The core of the malware’s functionality is an ingenious infection mechanism that exploits a common coding pattern. The malicious library wires itself into a generic helper method called Guard.NotNull.

Google’s AI Overview for Tracer.Fody.NLog (Source – Socket.dev)

This method is frequently used by developers to validate arguments, making it an ideal hiding spot for malicious logic.

When the helper processes an object containing a WalletPassword property, the malware springs into action.

csharp// Malicious side effect injected into a generic null-check helper
public static T NotNull<T>(T value, string parameterName)
{
    // ... validation checks ...
    Checker.Check(value); // Triggers exfiltration
    return value;
}

Using reflection, the code extracts the password and scans the victim’s system for Stratis wallet files. Specifically, it targets the %APPDATA%StratisNodestratisStratisMain directory.

Once it locates the wallet.json files, it truncates the data to capture essential keys and silently exfiltrates this information, along with the password, to a hardcoded IP address.

To further evade detection, the threat actors employed homoglyphs—Cyrillic characters that look identical to Latin letters—in their code identifiers, making manual code review incredibly difficult for even experienced developers.

NuGet search results (Source – Socket.dev)

This combination of homoglyph obfuscation and silent execution ensures that the host application appears to run normally while sensitive financial data is drained from the compromised system.

The attack demonstrates how easily trusted development tools can be weaponized against unsuspecting users, turning routine dependency updates into significant security liabilities for the entire organization.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.