Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Nethereum typosquatted NuGet package campaign with download inflation

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

Typosquatted NuGet uploads were used in a repeat campaign that tried to look popular enough to trick developers into installing a malicious dependency and exposing crypto wallet keys. The operation reused the same impersonation pattern across more than one package, making it an ongoing supply-chain threat rather than a one-off upload. False download counts and a counterfeit package name increased the chance of successful installs.

Related Happenings

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

TanStack hit by network compromise

Incident
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...

Latest development: 21.05.2026 11:00

On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

RoshniNaveenaS's account hit by network compromise

Incident
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...

Open Happening

Timeline

  1. 22.10.2025 14:43 1 articles · 7mo ago

    Netherеum.All typosquat uploaded to NuGet

    Campaign Scope Update

    A malicious NuGet package named Netherеum.All was uploaded by the user "nethereumgroup" to impersonate Nethereum with a Cyrillic homoglyph swap in the package name, inflate its apparent popularity to 11.7 million downloads, and deliver code that decoded the C2 endpoint solananetworkinstance[.]info/api/gads to exfiltrate mnemonic phrases, private keys, and keystore data.

    Show sources
    Open in new tab
  2. 22.10.2025 14:43 1 articles · 7mo ago

    NuGet removes malicious Netherеum.All package

    Mitigation Patch Update

    NuGet removed Netherеum.All for violating the service's Terms of Use four days after the upload, cutting off the malicious typosquat that targeted Nethereum users and sought cryptocurrency wallet keys.

    Show sources
    Open in new tab
  3. 22.10.2025 14:43 2 articles · 7mo ago

    Researchers disclose Nethereum NuGet typosquat campaign

    Initial Disclosure

    Security researchers disclosed a NuGet supply chain campaign against Nethereum users, noting that the same deceptive functionality had already appeared in NethereumNet at the start of October 2025 and that NuGet's permissive naming rules can make homoglyph typosquats easier to publish.

    Show sources
    Open in new tab