Published on May 7, 2026
Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets
Severity
High
Detail
A fresh wave of malicious packages has been discovered targeting the NuGet ecosystem, one of the most widely used package registries in the .NET developer community. Five rogue packages were identified impersonating legitimate Chinese software libraries commonly used in enterprise environments.
The malicious packages secretly deploy malware designed to steal browser credentials, SSH private keys, cryptocurrency wallet data, Outlook profiles, Steam credentials, and sensitive user files. Researchers identified approximately 64,784 downloads across the malicious packages, potentially impacting developer workstations and CI/CD build systems since at least September 2025.
To evade detection, the threat actor used a version rotation technique where most published versions were hidden from public searches. Out of 224 versions published, 219 were concealed, allowing the attacker to continuously rotate payloads and bypass traditional hash-based detection and security blocklists.
The malware also targets cryptocurrency wallets including MetaMask, Phantom, Trust Wallet, TronLink, Coinbase Wallet, Exodus, Electrum, Atomic, Guarda, Ledger, and Binance wallets. Successful compromise may result in credential theft, unauthorized access, cryptocurrency theft, source code exposure, CI/CD compromise, and potential lateral movement within enterprise environments.
How?
The attack begins when a developer workstation or CI/CD build system restores one of the malicious NuGet packages during normal software development operations. Because the packages contain legitimate functionality and mimic trusted enterprise libraries, they can appear harmless during casual inspection.
Once the package is loaded, a hidden .NET module initializer automatically executes without requiring user interaction. The malware then performs Just-In-Time (JIT) hooking by modifying the .NET runtime compiler dispatch mechanism, allowing the attacker to intercept and control compiled methods.
After execution is established, the package deploys a second-stage infostealer executable named we4ftg[.]exe. The malware then harvests:
- Browser passwords, cookies, autofill data, and payment card information
- SSH private keys and Outlook profiles
- Cryptocurrency wallet data from browser extensions and desktop wallet applications
- Steam credentials and files from Desktop, Documents, and Downloads folders
The stolen data is staged locally in a fake Microsoft OneDrive directory located at, C:\ProgramData\Microsoft OneDrive\keys[.]dat
Finally, the collected information is exfiltrated to attacker-controlled command-and-control (C2) infrastructure through remote upload endpoints.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
| NuGet Package | IR[.]DantUI | Malicious package impersonating AntdUI |
| NuGet Package | IR[.]Infrastructure[.]Core | Malicious enterprise library |
| NuGet Package | IR[.]Infrastructure[.]DataService[.]Cor | Malicious enterprise library |
| NuGet Package | IR[.]iplus32 | Malicious package impersonating iplus32 |
| NuGet Package | IR[.]OscarUI | Malicious UI library |
| NuGet Account | bmrxntfj | Threat actor publisher account |
| Domain | dns-providersa2[.]com | Primary C2 domain |
| URL | https://dns-providersa2[.]com/check | C2 validation endpoint |
| URL | https://dns-providersa2[.]com/upload | Data exfiltration endpoint |
| IP Address | 62[.]84[.]102[.]85 | Amsterdam-based VPS |
| Domain | git[.]justdotrip[.]com | Attacker development infrastructure |
| IP Address | 47[.]100[.]60[.]237 | Alibaba Cloud Shanghai server |
| File Path | C:\ProgramData\Microsoft OneDrive\keys[.]dat | Malware staging location |
| File Name | we4ftg[.]exe | Second-stage infostealer |
| File Name | s4[.]exe | Memory dump stealer component |
Conclusion
This campaign highlights the growing threat of software supply chain attacks targeting developers and enterprise build environments. By disguising malicious payloads within trusted-looking NuGet packages, attackers were able to distribute credential-stealing malware capable of compromising browsers, SSH keys, cryptocurrency wallets, and sensitive enterprise data.
The use of hidden package versions, automated execution through .NET module initializers, and advanced evasion techniques demonstrates a high level of sophistication designed to avoid traditional detection methods. Organizations relying on third-party dependencies and public package repositories should strengthen software supply chain security practices, continuously monitor package activity, and promptly investigate any exposure to the identified malicious packages.
Source
https://cybersecuritynews.com/malicious-nuget-packages-target-browser-credentials/