5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Five malicious NuGet packages impersonate Chinese . NET UI libraries to distribute an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. These packages typosquat legitimate libraries and use . NET Reactor-protected payloads grafted onto decompiled code. The campaign employs version rotation to evade detection, with most versions unlisted but accessible. The malware targets multiple browsers, desktop crypto wallets, and browser wallet extensions, exfiltrating data to a newly registered command and control domain. It executes via . NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS. Approximately 65,000 downloads have been recorded, putting many developer workstations and CI/CD servers at risk. No official patch or remediation guidance is provided in the available data.
AI Analysis
Technical Summary
This threat involves five malicious NuGet packages published under the account 'bmrxntfj' that impersonate Chinese .NET UI and infrastructure libraries. The packages contain payloads protected by .NET Reactor, grafted onto decompiled legitimate code to evade detection. The campaign uses version rotation with 219 of 224 versions unlisted but fetchable, complicating hash-based detection. The infostealer targets credentials from 12 browsers, 8 desktop cryptocurrency wallets, and 5 browser wallet extensions, exfiltrating stolen data to a newly registered C2 domain. The payload activates through .NET module initializers and hooks into the CLR JIT compiler, enabling cross-platform infection including Linux and macOS environments. With roughly 65,000 downloads, this supply chain attack risks compromising developer workstations and CI/CD build servers. No vendor advisory or patch information is currently available.
Potential Impact
The malware can steal sensitive information including browser credentials, cryptocurrency wallets, SSH keys, and local files from infected systems. It targets a broad range of browsers and crypto wallets, increasing the potential impact on users involved in software development and cryptocurrency management. The campaign's use of version rotation and unlisted package versions complicates detection and mitigation efforts. Cross-platform infection capability extends the threat beyond Windows to Linux and macOS infrastructure, potentially affecting diverse development environments. The high number of downloads indicates significant exposure and risk to developer workstations and CI/CD pipelines.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of an official fix, organizations should audit their NuGet package dependencies for suspicious or typosquatted packages, especially those published under the account 'bmrxntfj'. Remove or block these malicious packages and monitor for any signs of compromise related to browser credentials, crypto wallets, and SSH keys. Employ supply chain security best practices such as verifying package integrity and using trusted sources. Since the campaign uses version rotation and unlisted versions, rely on behavioral detection and threat intelligence indicators (e.g., known malicious domains and hashes) to identify infections.
Indicators of Compromise
- domain: dns-providersa2.com
- url: https://dns-providersa2.com/upload
- url: https://dns-providersa2.com/check
- domain: git.justdotrip.com
- hash: efb675de4b3af3dac3c9cae91075fd7cc2f4f98e
- hash: 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824
- hash: 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c
- hash: 596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1
- hash: 8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf
- hash: b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9
- hash: b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa
- hash: e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e
- domain: justdotrip.com
5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Description
Five malicious NuGet packages impersonate Chinese . NET UI libraries to distribute an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. These packages typosquat legitimate libraries and use . NET Reactor-protected payloads grafted onto decompiled code. The campaign employs version rotation to evade detection, with most versions unlisted but accessible. The malware targets multiple browsers, desktop crypto wallets, and browser wallet extensions, exfiltrating data to a newly registered command and control domain. It executes via . NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS. Approximately 65,000 downloads have been recorded, putting many developer workstations and CI/CD servers at risk. No official patch or remediation guidance is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves five malicious NuGet packages published under the account 'bmrxntfj' that impersonate Chinese .NET UI and infrastructure libraries. The packages contain payloads protected by .NET Reactor, grafted onto decompiled legitimate code to evade detection. The campaign uses version rotation with 219 of 224 versions unlisted but fetchable, complicating hash-based detection. The infostealer targets credentials from 12 browsers, 8 desktop cryptocurrency wallets, and 5 browser wallet extensions, exfiltrating stolen data to a newly registered C2 domain. The payload activates through .NET module initializers and hooks into the CLR JIT compiler, enabling cross-platform infection including Linux and macOS environments. With roughly 65,000 downloads, this supply chain attack risks compromising developer workstations and CI/CD build servers. No vendor advisory or patch information is currently available.
Potential Impact
The malware can steal sensitive information including browser credentials, cryptocurrency wallets, SSH keys, and local files from infected systems. It targets a broad range of browsers and crypto wallets, increasing the potential impact on users involved in software development and cryptocurrency management. The campaign's use of version rotation and unlisted package versions complicates detection and mitigation efforts. Cross-platform infection capability extends the threat beyond Windows to Linux and macOS infrastructure, potentially affecting diverse development environments. The high number of downloads indicates significant exposure and risk to developer workstations and CI/CD pipelines.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of an official fix, organizations should audit their NuGet package dependencies for suspicious or typosquatted packages, especially those published under the account 'bmrxntfj'. Remove or block these malicious packages and monitor for any signs of compromise related to browser credentials, crypto wallets, and SSH keys. Employ supply chain security best practices such as verifying package integrity and using trusted sources. Since the campaign uses version rotation and unlisted versions, rely on behavioral detection and threat intelligence indicators (e.g., known malicious domains and hashes) to identify infections.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries"]
- Adversary
- null
- Pulse Id
- 69fcc64069bf35be793669dd
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaindns-providersa2.com | — | |
domaingit.justdotrip.com | — | |
domainjustdotrip.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://dns-providersa2.com/upload | — | |
urlhttps://dns-providersa2.com/check | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashefb675de4b3af3dac3c9cae91075fd7cc2f4f98e | — | |
hash019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824 | — | |
hash34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c | — | |
hash596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1 | — | |
hash8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf | — | |
hashb8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9 | — | |
hashb8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa | — | |
hashe1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e | — |
Threat ID: 69fda78fcbff5d8610b5621e
Added to database: 5/8/2026, 9:06:23 AM
Last enriched: 5/8/2026, 9:21:40 AM
Last updated: 5/8/2026, 2:49:18 PM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.