Researchers uncovered a sophisticated supply chain attack targeting the NuGet package manager ecosystem by publishing a malicious typosquatted package named Netherеum.All, which impersonated the legitimate Nethereum Ethereum .NET integration library. The attacker replaced the last letter 'e' in 'Nethereum' with the visually similar Cyrillic character 'е' (U+0435), exploiting homoglyph substitution to deceive developers into downloading the malicious package. Uploaded by a user named 'nethereumgroup' on October 16, 2025, the package was removed four days later after violating NuGet’s Terms of Use. The malicious package contained a function named EIP70221TransactionService.Shuffle that decoded an XOR-encoded string to reveal a command-and-control (C2) server endpoint (solananetworkinstance[.]info/api/gads). This function exfiltrated sensitive wallet data including mnemonic phrases, private keys, and keystore information to the attacker’s server. To increase credibility, the attacker artificially inflated download counts to 11.7 million by scripting automated downloads from cloud hosts using IP rotation and user-agent spoofing, thereby boosting search rankings and misleading developers. This attack leverages NuGet’s permissive naming policies that allow Unicode homoglyphs, unlike other package repositories that restrict names to ASCII characters. The threat actor had previously uploaded a similar malicious package named NethereumNet earlier in October 2025. This attack highlights the risks of supply chain compromises in open-source ecosystems, especially for blockchain-related software where stolen keys can lead to irreversible financial loss. No authentication or user interaction beyond package installation is required, making this a potent vector for crypto theft. The attack underscores the need for rigorous package vetting, publisher verification, and monitoring of anomalous network traffic to detect exfiltration attempts.

This threat poses a significant risk to European organizations involved in blockchain development, cryptocurrency wallet management, and financial services leveraging Ethereum .NET integrations. The exfiltration of mnemonic phrases and private keys can lead to irreversible theft of cryptocurrency assets, resulting in direct financial losses and reputational damage. Organizations relying on Nethereum or similar libraries may inadvertently introduce backdoors into their software supply chain, compromising the integrity and confidentiality of their crypto wallets. The artificial inflation of download counts can mislead developers into trusting malicious packages, increasing the attack surface. Given the stealthy nature of the attack—requiring no user interaction beyond package installation—large-scale compromise is possible if supply chain hygiene is not enforced. The attack also undermines trust in open-source ecosystems and may disrupt blockchain-related projects and services across Europe. Regulatory compliance risks may arise if organizations fail to protect sensitive cryptographic keys, especially under GDPR and financial regulations. The attack could also impact software vendors and developers who distribute or depend on Nethereum packages, potentially cascading into broader ecosystem compromises.

European organizations should implement strict supply chain security controls including: 1) Enforce package verification by validating publisher identities and scrutinizing package names for homoglyphs or typosquatting attempts before installation. 2) Use cryptographic signing and verification of NuGet packages to ensure authenticity and integrity. 3) Monitor download statistics and investigate sudden surges or anomalies that may indicate manipulation. 4) Employ static and dynamic analysis tools to scan third-party packages for suspicious code, especially those handling cryptographic keys. 5) Restrict package sources to trusted repositories and consider using internal mirrors or proxies that vet packages. 6) Implement network monitoring and anomaly detection to identify unusual outbound traffic patterns indicative of data exfiltration. 7) Educate developers about homoglyph attacks and the risks of typosquatting in package managers. 8) Regularly audit cryptographic key usage and rotate keys if compromise is suspected. 9) Advocate for NuGet to adopt stricter naming policies restricting Unicode homoglyphs to prevent similar attacks. 10) Integrate supply chain risk management into DevSecOps pipelines to detect and block malicious dependencies early.