Security researchers uncovered 14 malicious NuGet packages that impersonated legitimate cryptocurrency tools to steal funds and OAuth tokens. The campaign ran undetected from July through October 2025, using social engineering tactics.
Cryptocurrency developers faced a sophisticated threat for months without realizing it. ReversingLabs researchers discovered 14 malicious packages on NuGet that masqueraded as legitimate blockchain development tools while quietly siphoning wallet credentials and redirecting transactions.
The campaign started in July 2025 but didn't surface until October 17, when researchers flagged "Netherеum.All"—a package impersonating Nethereum, a popular Ethereum integration library for .NET developers. That discovery kicked off an investigation revealing a coordinated attack spanning multiple authors and several months.
These weren't crude smash-and-grab operations. The attackers copied entire codebases from legitimate packages, then buried malicious functions deep inside critical execution points. Most of the code looked completely normal—it had to, since developers would integrate these packages into production applications.
The malware activated only when specific functions ran. One package might steal your wallet's private keys when you generated a new address. Another would swap the destination wallet during transactions over $100, redirecting funds to attacker-controlled accounts instead.
ReversingLabs split the 14 packages into three groups based on their payloads:
They exfiltrated private keys, seed phrases, and WIF keys through a function called "Shuffle" that sent data to hxxps://solananetworkinstance[.]info/api/gads. The URL was obfuscated using XOR encryption to dodge static analysis tools.
Coinbase.Net.Api and similar packages included a MapAddress function containing attacker wallet addresses for multiple crypto ecosystems. When developers called SendMoneyAsync to transfer funds, the code swapped destination addresses on transactions exceeding $100.
GoogleAds.API exfiltrated developer tokens, OAuth Client IDs, and client secrets—credentials that grant full programmatic access to advertising accounts.
The attackers didn't just write clever code. They manipulated NuGet's trust signals to make their packages look legitimate.
Package names used characters that look identical to standard letters but have different Unicode values. Your eyes see "Nethereum.All" but the computer reads something else entirely.
Attackers pushed dozens of versions in rapid succession, making packages appear actively maintained. One package showed multiple versions released simultaneously—a red flag hidden in plain sight.
Newly published packages racked up millions of downloads almost immediately. The numbers were absurd, but they worked. Developers saw high download counts and assumed widespread adoption meant safety.
These tactics mirror a campaign ReversingLabs researcher Karlo Zanki documented in July 2024. The playbook works, so attackers keep using it.
Direct victims were bad enough—developers who installed these packages lost wallet access and had transactions hijacked. But the real damage could spread much further.
Developers building applications with these malicious dependencies unknowingly passed the infection downstream. Every app incorporating the compromised code became a potential attack vector against its own user base. One bad package could compromise entire projects, organizations, and communities.
Think about a startup building a DeFi platform. They pull in what looks like a solid Ethereum library. That library steals wallet keys. Now every user of that platform is exposed, and the startup has no idea they're the vector.
NuGet had been unusually quiet this year. The platform detected just two malicious packages in the first 10 months of 2025, down from 34 in all of 2024. That drop likely reflected security improvements, including mandatory two-factor authentication for maintainer accounts rolled out in July 2024.
This campaign shows attackers adapted. They couldn't brute-force accounts anymore, so they created convincing fake packages from scratch and relied on social engineering instead of compromised credentials.
Meanwhile, other platforms got hammered. ReversingLabs found crypto-targeting malware on PyPI attacking Solana developers, on npm injecting code into local packages, and in VS Code through a malicious pull request to an Ethereum smart contract extension. No open-source repository is immune.
This campaign follows patterns seen across every major open-source ecosystem in 2024 and 2025. Attackers know developers trust package managers. They exploit that trust with superficial legitimacy while hiding malicious payloads where automated scanners struggle to reach.
Cryptocurrency remains a prime target because the motivation is direct financial gain and transactions are irreversible. Steal the right keys or redirect the right transaction, and you've made money with minimal traceability.
The 14th package, SolnetAll, was removed before researchers could analyze it. Same author as NBitcoin.Unified, which stole wallet information. Safe to assume it did something similar.
As long as developers rely on third-party code—and they have to, modern software depends on it—attackers will target the supply chain. Package manager security features help, but they can't prevent every social engineering attack. The last line of defense is developer vigilance backed by tooling that catches what humans miss.
Read ReversingLabs full technical writeup on their blog to understand the complete scope of this attack and see the actual samples that reveal how the malware operates.
