Cybersecurity researchers have identified a malicious NuGet package that impersonates the popular .NET tracing library Tracer.Fody to steal cryptocurrency wallet information.
The package, called “Tracer.Fody.NLog,” was uploaded by a user named “csnemess” on February 26, 2020, and has remained on the repository for nearly six years. It closely mimics the legitimate “Tracer.Fody” library maintained by “csnemes.” As of this writing, the package is still publicly available and has been downloaded over 2,000 times, including 19 downloads of version 3.2.4 in the past six weeks.
Socket security researcher Kirill Boychenko explained, “While it presents itself as a standard .NET tracing integration, the package actually functions as a cryptocurrency wallet stealer. The embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and sends it along with the wallet password to infrastructure controlled by threat actors in Russia at 176.113.82[.]163.”
The attack evaded casual review by using multiple deceptive tactics. The malicious package imitates the legitimate maintainer with a single-letter variation in the username (“csnemes” vs. “csnemess”), uses Cyrillic lookalike characters in the source code, and hides the malicious routine inside a generic helper function (“Guard.NotNull”) used during normal program execution.
Once a project references the package, it automatically scans the default Stratis wallet directory on Windows (“%APPDATA%\StratisNode\stratis\StratisMain”), reads wallet files and in-memory passwords, and exfiltrates the data silently to the Russian-hosted IP. All exceptions are caught quietly, allowing the host application to continue functioning without alerting the user while leaking wallet data.
Socket noted that the same IP was used in a December 2023 NuGet impersonation attack involving the “Cleary.AsyncExtensions” package, which stole wallet seed phrases by disguising itself as the AsyncEx NuGet library.
These incidents highlight the ongoing risk posed by malicious typosquats in open-source ecosystems. Security professionals are advised to remain vigilant, particularly for logging, tracing, argument validation, and utility packages in .NET projects.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
