Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims’ cryptocurrency wallet keys.
The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket.
The library was uploaded by a user named “nethereumgroup” on October 16, 2025. It was taken down from NuGet for violating the service’s Terms of Use four days later.
What’s notable about the NuGet package is that it swaps the last occurrence of the letter “e” with the Cyrillic homoglyph “e” (U+0435) to fool unsuspecting developers into downloading it.
In a further attempt to increase the credibility of the package, the threat actors have resorted to artificially inflating the download counts, claiming it has been downloaded 11.7 million times — a huge red flag given that it’s unlikely for an entirely new library to rack up such a high count within a short span of time.
“A threat actor can publish many versions, then script downloads of each .nupkg through the v3 flat-container or loop nuget.exe install and dotnet restore with no-cache options from cloud hosts,” security researcher Kirill Boychenko said. “Rotating IPs and user agents and parallelizing requests boosts volume while avoiding client caches.”
“The result is a package that appears ‘popular,’ which boosts placement for searches sorted by relevance and lends a false sense of proof when developers glance at the numbers.”
The main payload within the NuGet package is within a function named EIP70221TransactionService.Shuffle, which parses an XOR-encoded string to extract the C2 server (solananetworkinstance[.]info/api/gads) and exfiltrates sensitive wallet data to the attacker.
The threat actor has been found to have previously uploaded another NuGet package called “NethereumNet” with the same deceptive functionality at the start of the month. It has already been removed by the NuGet security team.
This is not the first homoglyph typosquat that has been spotted in the NuGet repository. In July 2024, ReversingLabs documented details of several packages that impersonated their legitimate counterparts by substituting certain elements with their equivalents to bypass casual inspection.
Unlike other open-source package repositories like PyPI, npm, Maven Central, Go Module, and RubyGems that enforce restrictions on the naming scheme to ASCII, NuGet places no such constraints other than prohibiting spaces and unsafe URL characters, opening the door to abuse.
To mitigate such risks, users should carefully scrutinize libraries before downloading them, including verifying publisher identity and sudden download surges, and monitor for anomalous network traffic.
