5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Pulse ID: 6a0160261c57f2812cc5a92c
Pulse Link: https://otx.alienvault.com/pulse/6a0160261c57f2812cc5a92c
Pulse Author: Tr1sa111
Created: 2026-05-11 04:50:46
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Chinese #CyberSecurity #InfoSec #NuGet #OTX #OpenThreatExchange #bot #Tr1sa111
5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Five malicious NuGet packages published under account bmrxntfj impersonate Chinese .NET libraries to deploy an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. The packages typosquat legitimate Chinese UI and infrastructure libraries, grafting .NET Reactor-protected payloads onto decompiled legitimate code. The campaign uses version rotation to evade hash-based detection, with 219 of 224 total versions unlisted but fetchable. The stealer targets 12 browsers, 8 desktop crypto wallets, and 5 browser wallet extensions, exfiltrating data to a newly-registered C2 domain. With approximately 65,000 downloads across all versions, the campaign puts tens of thousands of developer workstations and CI/CD build servers at risk. The payload executes through .NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS infrastructure.
Pulse ID: 69fcc64069bf35be793669dd
Pulse Link: https://otx.alienvault.com/pulse/69fcc64069bf35be793669dd
Pulse Author: AlienVault
Created: 2026-05-07 17:05:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #Chinese #CyberSecurity #InfoSec #InfoStealer #Linux #Mac #MacOS #NET #NuGet #OTX #OpenThreatExchange #RAT #SSH #bot #cryptocurrency #AlienVault
#Nuget: Malicious NuGet packages mimicked trusted .NET libraries to steal credentials, key crypto wallets.
Packages:
IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32
included an infostealer #malware:
👇
https://gbhackers.com/malicious-nuget-packages-2/
via @dotnet : VSTest is Removing its Newtonsoft.Json Dependency
https://ift.tt/PYIZ0Ny
#VSTest #NewtonsoftJson #SystemTextJson #JSONite #dotnet11 #VisualStudio #VS2024 #dotnetTest #TestExplorer #NuGet #SecurityUpdate #SerDe #JsonDependency #BreakingChange #DotNe…
From the .NET blog...
In case you missed it earlier...
VSTest is Removing its Newtonsoft.Json Dependency
https://devblogs.microsoft.com/dotnet/vs-test-is-removing-its-newtonsoft-json-dependency/ #dotnet #NETFramework #nuget #testing #visualstudio #vs #vstest
From the .NET blog...
VSTest is Removing its Newtonsoft.Json Dependency
https://devblogs.microsoft.com/dotnet/vs-test-is-removing-its-newtonsoft-json-dependency/ #dotnet #NETFramework #nuget #testing #visualstudio #vs #vstest
New post from my blog...
In case you missed it earlier...
Give .NET Its Props - Central Package Management
https://barretblake.dev/posts/development/2026/04/give-dotnet-its-props/ #nuget #packagemanagement #dotnet
New post from my blog...
Give .NET Its Props - Central Package Management
https://barretblake.dev/posts/development/2026/04/give-dotnet-its-props/ #nuget #packagemanagement #dotnet
In about one hour, combining the powers of Native AOT and System.CommandLine, we will turn Inspector Roslyn into a standalone CLI tool.
2026-04-22 (Wednesday)
at 17:00 UTC
OTX Bot
Sam Stepanyan 
🐘
Brandon H 
Barret
FlashOWare
Gérald Barré