Malicious NuGet Package Tracer.Fody.NLog Steals Cryptocurrency Wallet Data

First reported

16.12.2025 17:39

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malicious NuGet package named "Tracer.Fody.NLog" has been discovered, impersonating the legitimate "Tracer.Fody" library. The package, available for nearly six years, steals cryptocurrency wallet data from Stratis wallets and exfiltrates it to a Russian-controlled server. It has been downloaded over 2,000 times, with recent downloads occurring in the last six weeks. The threat actor used typosquatting and Cyrillic lookalike characters to evade detection. The package scans the default Stratis wallet directory on Windows, reads wallet files, and exfiltrates data silently without disrupting the host application. The same IP address was previously used in another NuGet impersonation attack in December 2023. Defenders are advised to be vigilant against similar threats targeting .NET projects.

Timeline

16.12.2025 17:39 1 articles · 6h ago

Malicious NuGet Package Tracer.Fody.NLog Steals Cryptocurrency Wallet Data
A malicious NuGet package named "Tracer.Fody.NLog" has been discovered, impersonating the legitimate "Tracer.Fody" library. The package, available for nearly six years, steals cryptocurrency wallet data from Stratis wallets and exfiltrates it to a Russian-controlled server. It has been downloaded over 2,000 times, with recent downloads occurring in the last six weeks. The threat actor used typosquatting and Cyrillic lookalike characters to evade detection. The package scans the default Stratis wallet directory on Windows, reads wallet files, and exfiltrates data silently without disrupting the host application. The same IP address was previously used in another NuGet impersonation attack in December 2023. Defenders are advised to be vigilant against similar threats targeting .NET projects.
Show sources

Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
Open in new tab

Information Snippets

The malicious package "Tracer.Fody.NLog" was published on February 26, 2020, by a user named "csnemess".
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
The package masquerades as "Tracer.Fody", maintained by "csnemes", differing by a single letter.
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
The package has been downloaded at least 2,000 times, with 19 downloads in the last six weeks for version 3.2.4.
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
The package scans the default Stratis wallet directory on Windows and exfiltrates wallet data to a Russian-controlled server at 176.113.82[.]163.
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
The malicious routine is hidden within a generic helper function "Guard.NotNull" to evade detection.
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
The same IP address was used in another NuGet impersonation attack in December 2023 involving the package "Cleary.AsyncExtensions".
First reported: 16.12.2025 17:39

1 source, 1 article
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39