Tracer.Fody.NLog malicious NuGet wallet stealer
Malware Activity
Summary
Hide ▲
Show ▼
Tracer.Fody.NLog is a malicious NuGet package that steals Stratis wallet data and passwords from .NET projects, creating a supply-chain risk for developers and cryptocurrency users. The package impersonates the legitimate Tracer.Fody library and its maintainer, hiding the payload behind a typosquatted name. It has remained available since February 2020 and has been downloaded at least 2,000 times, including recent installs of version 3.2.4. The embedded payload scans the default wallet directory and exfiltrates the stolen data to 176.113.82[.]163 in Russia.
Related Happenings
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Telnyx package hit by network compromise
Incident
H score19
First: 27.03.2026 23:13
Last: 27.03.2026 23:13
Sources 1
About this happening:
The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Telnyx package hit by network compromise
IncidentAbout this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...
Telnyx package WAV-hidden credential-stealing malware
Malware Activity
H score29
First: 27.03.2026 23:13
Last: 27.03.2026 23:13
Sources 1
About this happening:
The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...
Telnyx package WAV-hidden credential-stealing malware
Malware ActivityAbout this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...
Telnyx malicious payload stealer delivered via WAV files
Malware Activity
H score30
First: 27.03.2026 18:53
Last: 27.03.2026 18:53
Sources 1
About this happening:
**TeamPCP** pushed a **malicious telnyx package payload** that turns package import into **credential harvesting** and **encrypted exfiltration** across **Windows, Linux, and macO...
Telnyx malicious payload stealer delivered via WAV files
Malware ActivityAbout this happening: **TeamPCP** pushed a **malicious telnyx package payload** that turns package import into **credential harvesting** and **encrypted exfiltration** across **Windows, Linux, and macO...
Timeline
-
16.12.2025 17:39 1 articles · 6mo ago
Tracer.Fody.NLog published to NuGet
Untyped PhaseTracer.Fody.NLog was published to NuGet by csnemess on February 26, 2020, masquerading as Tracer.Fody and embedding a wallet-stealing payload that targets the default Stratis wallet directory, reads *.wallet.json files, and exfiltrates wallet data and passwords to 176.113.82[.]163 in Russia.
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
-
16.12.2025 17:39 2 articles · 6mo ago
Socket discloses Tracer.Fody.NLog as a wallet stealer
Initial DisclosureSocket reported that .NET developers who install Tracer.Fody.NLog may unknowingly leak Stratis wallet data and passwords, because the package impersonates Tracer.Fody, uses a near-match maintainer name and Cyrillic lookalikes, hides malicious code in Guard.NotNull, silently catches exceptions, and has at least 2,000 downloads.
Show sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Data — thehackernews.com — 16.12.2025 17:39