Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Netherеum.All NuGet typosquat wallet-stealer

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Netherеum.All NuGet package was exposed as a malicious supply-chain implant that can steal cryptocurrency wallet secrets from users of Nethereum. Its payload decodes a hidden C2 endpoint and exfiltrates mnemonic phrases, private keys, and keystore data. The package was uploaded on October 16, 2025, removed four days later, and relied on a Cyrillic homoglyph trick to look legitimate.

Related Happenings

Telnyx package WAV-hidden credential-stealing malware

Malware Activity
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...

Open Happening

Telnyx package hit by network compromise

Incident
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...

Open Happening

Ghost campaign malicious npm supply-chain operation

Campaign
First: 24.03.2026 16:30 Last: 24.03.2026 16:30 Sources 1

About this happening: A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...

Open Happening

TeamPCP Cloud stealer credential-stealing operation

Malware Activity
First: 24.03.2026 11:29 Last: 24.03.2026 11:29 Sources 1

About this happening: **TeamPCP Cloud stealer** was used in poisoned **GitHub Actions** and extension payloads that hit **Checkmarx** workflows, expanding a supply-chain credential-theft operation acro...

Latest development: 23.04.2026 22:21

Threat actors published a malicious @bitwarden/cli version 2026.4.0 on April 22, 2026, likely through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and used bw_setup.js and bw1.js to download Bun, steal developer secrets, and exfiltrate AES-256-GCM-encrypted data through public GitHub repositories under victim accounts.

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

Timeline

  1. 22.10.2025 14:43 1 articles · 7mo ago

    Typosquatted Netherеum.All uploaded to NuGet

    Untyped Phase

    A user named `nethereumgroup` uploaded the malicious NuGet package `Netherеum.All`, which impersonated Nethereum by swapping the last Latin `e` with a Cyrillic homoglyph to mislead developers into installing a wallet-stealing typosquat.

    Show sources
    Open in new tab
  2. 22.10.2025 14:43 1 articles · 7mo ago

    NuGet removes Netherеum.All after policy violation

    Legal Policy Action Update

    NuGet security staff removed `Netherеum.All` after it violated the service's Terms of Use, ending distribution of the malicious package that targeted Nethereum users' cryptocurrency wallet secrets.

    Show sources
    Open in new tab
  3. 22.10.2025 14:43 2 articles · 7mo ago

    Researchers disclose NuGet supply chain wallet-stealer

    Initial Disclosure

    Security researchers described a NuGet supply chain attack against Nethereum users in which `Netherеum.All` decoded a command-and-control endpoint at `solananetworkinstance[.]info/api/gads` and exfiltrated mnemonic phrases, private keys, and keystore data.

    Show sources
    Open in new tab