Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords

The Socket Threat Research Team has identified a malicious NuGet package, Tracer.Fody.NLog, which mimics the legitimate Tracer.Fody library to steal cryptocurrency wallet information. This package disguises itself as a standard .NET tracing integration but actually exfiltrates data from Stratis wallet files, sending it to a threat actor-controlled server in Russia. Through typosquatting and the use of homoglyphs, Tracer.Fody.NLog closely resembles the legitimate library, making it difficult to detect during manual reviews. Once integrated into a project, the package silently executes a routine that extracts and sends sensitive wallet data without alerting users. The package has been available on the NuGet Gallery since 2020, accumulating around 2,000 downloads and potentially embedding itself in various tools and developer environments. Despite reports to the NuGet security team, the package remains available, highlighting the challenge of detecting such threats in software supply chains. The malicious package uses a combination of technical deception and familiarity with trusted .NET tools to execute its payload, reflecting a broader strategy of targeting widely-used software components to conduct covert operations.