Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates a popular .NET tracing library and its author to infiltrate a cryptocurrency wallet stealer.
The malicious package, named “Tracer.Fody.NLog”, remained in the repository for almost six years. It was published by user named “csnemess” on February 26, 2020. It is disguised under the name “Tracer.Fody”, maintained by “csnemess”. The package remains available at the time of writing, and has been downloaded at least 2,000 times, 19 of which have been in the last six weeks for version 3.2.4.
“It presents itself as a standard .NET tracing integration but actually acts as a cryptocurrency wallet stealer,” said Socket security researcher Kirill Boychenko. “Inside the malicious package, the embedded tracer.fodi.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and spits it out along with wallet passwords to compromise actor-controlled infrastructure in Russia at 176.113.82.[.]163.”
The software supply chain security company said the threat took advantage of several tactics that allowed it to avoid casual review, including mimicking legitimate maintainers by using a name that differs by one letter (“csnemes” vs. “csnemess”), using Cyrillic lookalike characters in the source code, and hiding the malicious routine within a normal helper function (“Guard.NotNull”), which is used during regular program execution.
Once a project references the malicious package, it activates its behavior by scanning the default Stratis wallet directory (“%APPDATA%\StratisNode\stratis\StratisMain”) on Windows, reads *.wallet.json files and in-memory passwords, and sends them to a Russian-hosted IP address.
“All exceptions are silently caught, so even if the intrusion fails, the host application continues to run without any visible errors, while the successful call silently leaks wallet data into the threat actor’s infrastructure,” Boychenko said.
Socket said the same IP address was previously used in connection with another NuGet impersonation attack in December 2023, in which the threat actor published a package called “Cleary.asyncExtensions” under the alias “StevenCleary” and included the functionality to siphon wallet seed phrases. The package was called AsyncEx to disguise itself as a NuGet library.
The findings make clear at once how malicious typos that mirror legitimate tools can operate quietly without attracting anyone’s attention in the open-source repository ecosystem.
“Defenders should expect to see similar activity and follow-up implants that extend this pattern,” Sockett said. “Potential targets include other logging and tracing integrations, logic validation libraries, and utility packages that are common in .NET projects.”
