Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data

The Hacker News by The Hacker News
December 16, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 16, 2025Ravie LakshmananCybersecurity / Cryptocurrency

Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer.

The malicious package, named “Tracer.Fody.NLog,” remained on the repository for nearly six years. It was published by a user named “csnemess” on February 26, 2020. It masquerades as “Tracer.Fody,” which is maintained by “csnemes.” The package continues to remain available as of writing, and has been downloaded at least 2,000 times, out of which 19 took place over the last six weeks for version 3.2.4.

Cybersecurity

“It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer,” Socket security researcher Kirill Boychenko said. “Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176.113.82[.]163.”

The software supply chain security company said the threat leveraged a number of tactics that allowed it to elude casual review, including mimicking the legitimate maintainer by using a name that differs by a single letter (“csnemes” vs. “csnemess”), using Cyrillic lookalike characters in the source code, and hiding the malicious routine within a generic helper function (“Guard.NotNull”) that’s used during regular program execution.

Once a project references the malicious package, it activates its behavior by scanning the default Stratis wallet directory on Windows (“%APPDATA%\StratisNode\stratis\StratisMain”), reads *.wallet.json files and in-memory passwords, and exfiltrates them to the Russian-hosted IP address.

“All exceptions are silently caught, so even if the exfiltration fails, the host application continues to run without any visible error while successful calls quietly leak wallet data to the threat actor’s infrastructure,” Boychenko said.

Cybersecurity

Socket said the same IP address was previously put to use in December 2023 in connection with another NuGet impersonation attack in which the threat actor published a package named “Cleary.AsyncExtensions” under the alias “stevencleary” and incorporated functionality to siphon wallet seed phrases. The package was so-called to disguise itself as the AsyncEx NuGet library.

The findings once illustrate how malicious typosquats mirroring legitimate tools can stealthily operate without attracting any attention across the open-source repository ecosystems.

“Defenders should expect to see similar activity and follow-on implants that extend this pattern,” Socket said. “Likely targets include other logging and tracing integrations, argument validation libraries, and utility packages that are common in .NET projects.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Infosys and MIT Technology Review Insights Report Reveals the Critical Role of Psychological Safety in Driving AI Initiatives — with 83% of Business Leaders Reporting a Measurable Impact

Infosys and MIT Technology Review Insights Report Reveals the Critical Role of Psychological Safety in Driving AI Initiatives -- with 83% of Business Leaders Reporting a Measurable Impact

Recommended.

AI Has Flooded All the Weather Apps

AI Has Flooded All the Weather Apps

March 31, 2026
Huawei presenta nuovi prodotti e gli XMAGE Awards 2025 al Fashion Next Event di Dubai

Huawei presenta nuovi prodotti e gli XMAGE Awards 2025 al Fashion Next Event di Dubai

July 12, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
OpenTable Launches All-in-One Marketplace for Private and Group Dining

OpenTable Launches All-in-One Marketplace for Private and Group Dining

September 16, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio