The discovered threat is a malicious NuGet package named "Tracer.Fody.NLog" that impersonates the legitimate .NET tracing library "Tracer.Fody" and its maintainer "csnemes" by using a nearly identical author name "csnemess" and employing Cyrillic lookalike characters in the source code. Published on February 26, 2020, and remaining available for almost six years, the package was downloaded over 2,000 times, including recent downloads. The package contains an embedded DLL that activates when referenced in a project, scanning the default Stratis cryptocurrency wallet directory on Windows systems (%APPDATA%\StratisNode\stratis\StratisMain). It reads wallet files (*.wallet.json) and in-memory wallet passwords, then exfiltrates this sensitive data to a command-and-control server hosted in Russia at IP 176.113.82[.]163. The malicious code is hidden within a generic helper function "Guard.NotNull," which is commonly used in normal program execution, allowing it to evade casual code review. The malware silently handles all exceptions to avoid detection and maintain normal application functionality even if exfiltration fails. This attack is part of a broader pattern of supply chain compromises via typosquatted NuGet packages, with the same threat actor previously using the same IP address for a similar attack involving a package named "Cleary.AsyncExtensions." The campaign demonstrates sophisticated evasion tactics and highlights the vulnerability of open-source package ecosystems to long-term, stealthy supply chain attacks targeting cryptocurrency assets. The threat actor’s focus on .NET tracing and utility libraries suggests future attacks may target other widely used .NET packages. The attack underscores the critical need for improved supply chain security, package provenance verification, and monitoring for anomalous network activity related to software dependencies.

European organizations using .NET development environments and integrating third-party NuGet packages are at risk of inadvertently incorporating this malicious package, leading to the theft of cryptocurrency wallet data. The impact is particularly severe for entities involved in cryptocurrency operations, fintech, or blockchain development, where wallet compromise can result in direct financial losses and erosion of trust. The stealthy nature of the malware, which avoids detection by mimicking legitimate packages and silently exfiltrating data without disrupting host applications, increases the risk of prolonged undetected compromise. Organizations relying on Stratis wallets on Windows systems are especially vulnerable, as the malware specifically targets this wallet’s default directory. The long presence of the package in the repository (nearly six years) means that many projects may have unknowingly integrated it, potentially affecting supply chains across multiple sectors. This incident also raises concerns about the integrity of open-source software supply chains in Europe, where many enterprises depend on third-party libraries. The exfiltration to a Russian-hosted server adds geopolitical risk considerations, particularly amid heightened tensions and regulatory scrutiny around cybersecurity and data sovereignty in Europe.

European organizations should implement strict controls on third-party package usage, including: 1) Employing automated tools to detect typosquatting and suspicious package names in NuGet repositories. 2) Verifying package authorship and digital signatures before integration, especially for critical dependencies. 3) Using software composition analysis (SCA) tools to continuously monitor dependencies for known malicious packages or unusual behavior. 4) Restricting development environments to approved package versions and sources, and maintaining an internal whitelist of vetted packages. 5) Monitoring network traffic for unusual outbound connections, particularly to suspicious IP addresses such as the identified Russian server. 6) Conducting regular audits of existing projects to identify and remove any references to the malicious "Tracer.Fody.NLog" package. 7) Educating developers about the risks of typosquatting and encouraging vigilance when adding new dependencies. 8) Collaborating with NuGet repository maintainers to report and expedite removal of malicious packages. 9) For organizations using Stratis wallets, enforcing endpoint security measures to detect unauthorized file access and exfiltration attempts. 10) Implementing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors related to wallet file access and data exfiltration.