Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys

Socket's Threat Research Team discovered a homoglyph typosquat on NuGet impersonating the Nethereum project, using a Cyrillic "e" in the package name Netherеum.All to mislead users. This typosquat employed an XOR routine to decode a command and control (C2) endpoint at solananetworkinstance.info, facilitating the exfiltration of sensitive data like mnemonics and private keys via HTTPS POST requests. Published on October 16, 2025, and removed by NuGet on October 20, 2025, the package exhibited suspiciously high download counts indicative of automated inflation, a common tactic to create a false sense of popularity. The investigation linked this threat to a previous typosquat, NethereumNet, using the same malicious codebase and published by the same threat actor under the aliases nethereumgroup and NethereumCsharp. This case highlights the vulnerabilities in NuGet's naming rules, which allow Unicode lookalikes, contrasting with other registries that enforce stricter ASCII constraints. Developers are urged to consider exposed secrets as compromised and to enhance dependency hygiene, while tools like Socket are recommended to detect and prevent such attacks in software supply chains.