Malicious Nethereum NuGet Package Exfiltrates Cryptocurrency Wallet Keys

First reported

22.10.2025 14:43

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malicious NuGet package, Netherеum.All, impersonated the legitimate Nethereum library using a homoglyph trick to steal cryptocurrency wallet keys. The package, uploaded on October 16, 2025, was taken down four days later. It exploited a lack of naming constraints in NuGet to fool developers into downloading it. The package exfiltrated sensitive wallet data to a command-and-control server. The threat actor also uploaded another malicious package, NethereumNet, earlier in the month. This incident highlights the risks posed by homoglyph typosquatting in the NuGet repository. The package was designed to appear popular by artificially inflating download counts, a tactic that can mislead developers into trusting the package.

Timeline

22.10.2025 14:43 1 articles · 23h ago

Malicious Nethereum NuGet Package Exfiltrates Cryptocurrency Wallet Keys
On October 16, 2025, a malicious NuGet package, Netherеum.All, was uploaded to impersonate the legitimate Nethereum library. The package used a Cyrillic homoglyph to deceive developers and exfiltrated sensitive wallet data to a command-and-control server. The package was taken down on October 20, 2025, for violating NuGet's Terms of Use. The threat actor also uploaded another malicious package, NethereumNet, earlier in the month.
Show sources

Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
Open in new tab

Information Snippets

The malicious package Netherеum.All was uploaded to NuGet on October 16, 2025, by a user named 'nethereumgroup'.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The package used a Cyrillic homoglyph to replace the letter 'e' in 'Nethereum' to deceive developers.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The package exfiltrated mnemonic phrases, private keys, and keystore data to a command-and-control server.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The main payload within the package was in the function EIP70221TransactionService.Shuffle.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The threat actor artificially inflated the download count to make the package appear popular.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The malicious package was taken down from NuGet on October 20, 2025, for violating the service's Terms of Use.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
The threat actor previously uploaded another malicious package, NethereumNet, with similar functionality.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43
NuGet does not enforce ASCII naming constraints, allowing for homoglyph typosquatting.
First reported: 22.10.2025 14:43

1 source, 1 article
Show sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys — thehackernews.com — 22.10.2025 14:43