Malicious NuGet Packages Target .NET Developers, Stealing Credentials and Crypto Data
A sophisticated campaign is leveraging malicious NuGet packages to steal browser credentials, SSH keys, and cryptocurrency wallet data from developer machines and CI/CD infrastructure, with a focus on Chinese .NET ecosystems. The attack, identified by Socket’s Threat Research Team, involves five packages IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32 published under the account bmrxntfj.
These packages mimic legitimate Chinese WinForms and enterprise libraries, embedding a heavily obfuscated .NET Reactor-protected infostealer. Since late 2025, the packages have accumulated 65,000 downloads across 224 versions, with 219 deliberately hidden to evade detection. The attacker maintains only one visible version at a time, rotating unlisted builds to inflate install counts while avoiding hash-based scans.
Execution begins upon loading any IR.* assembly, triggering a multi-stage infection process. The malware verifies an RSA-1024 anti-tamper signature, allocates read-write-execute memory, and hooks clrjit.dll!getJit to inject attacker-controlled code during JIT compilation. Cross-platform support ensures functionality on Windows, Linux, and macOS, with obfuscated API calls to evade static analysis.
The infostealer targets 12 Chromium-based browsers (including Chrome, Edge, and Brave), Firefox, and Thunderbird, extracting passwords and session cookies via IElevator COM interface exploitation. It also harvests cryptocurrency wallet data from MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet, along with files from Exodus, Electrum, and Ledger. Additional targets include SSH keys, Outlook profiles, Steam sessions, and documents from Desktop, Documents, and Downloads directories.
Stolen data is staged at C:\ProgramData\Microsoft OneDrive\keys.dat before exfiltration to https://dns-providersa2[.]com/upload, using randomized X-{3 lowercase letters} headers to bypass network signatures. The C2 domain, registered in March 2026, resolves to a VDSINA VPS in Amsterdam and is shielded by privacy-focused registrar Njalla.
Attribution links the packages to a unique .NET Reactor RSA public key, connecting them to additional artifacts like s4.exe and fake CRYPT32.DLL.MUI binaries. While YARA rules associate the samples with families like Lumma, Quantum, and AgentRacoon, the exact threat actor remains unclear. A private Alibaba Cloud-hosted Git server (git[.]justdotrip[.]com) is believed to host the operator’s development environment.
Any system that restored or loaded these packages since September 2025 should be considered compromised. With 65,000 downloads, the campaign’s impact spans developer workstations and CI/CD pipelines, exposing sensitive data to theft. Defenders are advised to scan for the five package IDs, rotate exposed credentials, and block traffic to the identified C2 infrastructure.
Source: https://gbhackers.com/malicious-nuget-packages-2/
Iron Software cybersecurity rating report: https://www.rankiteo.com/company/ironsoftware
"id": "IRO1778142529",
"linkid": "ironsoftware",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '65,000 downloads (potential '
'systems compromised)',
'industry': 'Software Development, Technology',
'location': 'Global (focus on Chinese ecosystems)',
'type': 'Developers, Enterprises using .NET'}],
'attack_vector': 'Malicious NuGet Packages',
'data_breach': {'data_encryption': 'Data staged at C:\\ProgramData\\Microsoft '
'OneDrive\\keys.dat before exfiltration',
'data_exfiltration': True,
'file_types_exposed': ['Password databases',
'Session cookies',
'Wallet files',
'SSH keys',
'Documents'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, financial data, '
'authentication credentials)',
'type_of_data_compromised': ['Browser credentials',
'SSH keys',
'Cryptocurrency wallet data',
'Outlook profiles',
'Steam sessions',
'Documents']},
'date_detected': '2025-09-01',
'description': 'A sophisticated campaign is leveraging malicious NuGet '
'packages to steal browser credentials, SSH keys, and '
'cryptocurrency wallet data from developer machines and CI/CD '
'infrastructure, with a focus on Chinese .NET ecosystems. The '
'attack involves five packages (IR.DantUI, IR.OscarUI, '
'IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, '
'and IR.iplus32) published under the account bmrxntfj. These '
'packages mimic legitimate Chinese WinForms and enterprise '
'libraries, embedding a heavily obfuscated .NET '
'Reactor-protected infostealer.',
'impact': {'data_compromised': 'Browser credentials, SSH keys, cryptocurrency '
'wallet data, Outlook profiles, Steam '
'sessions, documents from '
'Desktop/Documents/Downloads directories',
'identity_theft_risk': 'High (PII, credentials, and wallet data '
'exposed)',
'operational_impact': 'Compromised development and deployment '
'environments',
'payment_information_risk': 'High (Cryptocurrency wallet data '
'exposed)',
'systems_affected': 'Developer workstations, CI/CD pipelines'},
'initial_access_broker': {'backdoors_established': 'JIT compilation hooking '
'(clrjit.dll!getJit)',
'entry_point': 'Malicious NuGet packages',
'high_value_targets': ['Developer workstations',
'CI/CD pipelines']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Supply chain attacks via package managers (NuGet) can '
'evade detection through obfuscation and version rotation. '
'Cross-platform malware targeting developers poses '
'significant risks to CI/CD pipelines and sensitive data.',
'motivation': 'Data Theft (Credentials, SSH Keys, Cryptocurrency Wallet Data)',
'post_incident_analysis': {'corrective_actions': ['Implement package signing '
'and verification for NuGet',
'Monitor for unusual JIT '
'compilation activity',
'Enhance static and dynamic '
'analysis of packages'],
'root_causes': ['Lack of supply chain security for '
'NuGet packages',
'Obfuscation and version rotation '
'to evade detection',
'Cross-platform malware targeting '
'developers']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Scan for the five malicious package IDs (IR.DantUI, '
'IR.OscarUI, IR.Infrastructure.Core, '
'IR.Infrastructure.DataService.Core, IR.iplus32)',
'Rotate all exposed credentials (browser, SSH, '
'cryptocurrency wallets, etc.)',
'Block traffic to the C2 domain (dns-providersa2[.]com)',
'Monitor for unusual JIT compilation activity (clrjit.dll '
'hooks)',
'Implement YARA rules to detect related malware families '
'(Lumma, Quantum, AgentRacoon)',
'Enhance supply chain security for package managers '
'(NuGet, npm, etc.)'],
'references': [{'source': 'Socket’s Threat Research Team'}],
'response': {'containment_measures': 'Scan for the five package IDs, rotate '
'exposed credentials, block traffic to '
'C2 infrastructure',
'enhanced_monitoring': 'Monitor for traffic to '
'dns-providersa2[.]com',
'remediation_measures': 'Remove malicious packages, clean '
'infected systems, rotate credentials',
'third_party_assistance': 'Socket’s Threat Research Team'},
'stakeholder_advisories': 'Defenders should assume compromise if systems '
'loaded these packages since September 2025. Rotate '
'credentials and monitor for data exfiltration.',
'title': 'Malicious NuGet Packages Target .NET Developers, Stealing '
'Credentials and Crypto Data',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Obfuscated .NET Reactor-protected infostealer, '
'JIT compilation hooking (clrjit.dll!getJit)'}