In order to sneak in a cryptocurrency wallet thief, a malicious NuGet package poses as the author of the.NET tracing library. "Tracer.Fody.NLog," the malicious package, was present in the repository for almost six years. On February 26, 2020, a user going by the handle "csnemess" published it.

As of this writing, the package is still accessible and has been downloaded at least 2,000 times, with 19 of those downloads occurring in the last six weeks for version

3.2.Four.

"All exceptions are silently caught, so even if the exfiltration fails, the host application continues to run without any visible error while successful calls quietly leak wallet data to the threat actor's infrastructure," stated Kirill Boychenko, a security researcher. The results show how malicious typosquats that mimic trustworthy tools can operate covertly without drawing attention. any focus throughout the ecosystems of open-source repositories, according to security firm Socket.

In a blog post regarding the attack, the company stated that "other logging and tracing integrations, argument validation libraries, and utility packages that are common in.NET projects are likely targets." "According to Socket, "likely targets" will include additional.NET tools and libraries. "Defenders should expect to see similar activity and follow-on implants that extend this pattern."