5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

Socket's Threat Research Team identified five malicious NuGet packages published under the account bmrxntfj that mimic popular Chinese .NET libraries, embedding a .NET Reactor-protected infostealer payload targeting credentials from browsers, cryptocurrency wallets, and other sensitive data. These packages have been downloaded approximately 65,000 times, risking widespread credential theft among developers and CI/CD servers. Each package masquerades as a legitimate library by copying namespaces and using sophisticated techniques like version rotation to evade detection, while exfiltrating data to a C2 domain. The packages exploit the .NET JIT pipeline to execute their payloads stealthily on any machine that restores them, with the threat actor employing evasion tactics such as anti-tamper checks and process injection. Despite takedown requests, these packages remain available, necessitating vigilance from developers and security teams to identify and mitigate this supply chain threat, which exhibits characteristics consistent with known malicious actors as indicated by shared obfuscation techniques and infrastructure.