Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tracer.Fody.NLog malicious NuGet wallet stealer

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Tracer.Fody.NLog is a malicious NuGet package that steals Stratis wallet data and passwords from .NET projects, creating a supply-chain risk for developers and cryptocurrency users. The package impersonates the legitimate Tracer.Fody library and its maintainer, hiding the payload behind a typosquatted name. It has remained available since February 2020 and has been downloaded at least 2,000 times, including recent installs of version 3.2.4. The embedded payload scans the default wallet directory and exfiltrates the stolen data to 176.113.82[.]163 in Russia.

Related Happenings

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

Telnyx package hit by network compromise

Incident
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The **Telnyx package** on **PyPI** was **compromised**, and malicious releases began executing at import, putting downstream developers at risk of secret theft. The bad uploads in...

Open Happening

Telnyx package WAV-hidden credential-stealing malware

Malware Activity
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...

Open Happening

Telnyx malicious payload stealer delivered via WAV files

Malware Activity
First: 27.03.2026 18:53 Last: 27.03.2026 18:53 Sources 1

About this happening: **TeamPCP** pushed a **malicious telnyx package payload** that turns package import into **credential harvesting** and **encrypted exfiltration** across **Windows, Linux, and macO...

Open Happening

Contagious Interview malicious npm package payload activity

Malware Activity
First: 02.03.2026 10:44 Last: 02.03.2026 10:44 Sources 1

About this happening: The **Contagious Interview** operation has added **26 malicious npm packages**, expanding a cross-platform supply-chain path that can hide **C2 resolution**, steal credentials, an...

Open Happening

Timeline

  1. 16.12.2025 17:39 1 articles · 5mo ago

    Tracer.Fody.NLog published to NuGet

    Untyped Phase

    Tracer.Fody.NLog was published to NuGet by csnemess on February 26, 2020, masquerading as Tracer.Fody and embedding a wallet-stealing payload that targets the default Stratis wallet directory, reads *.wallet.json files, and exfiltrates wallet data and passwords to 176.113.82[.]163 in Russia.

    Show sources
    Open in new tab
  2. 16.12.2025 17:39 2 articles · 5mo ago

    Socket discloses Tracer.Fody.NLog as a wallet stealer

    Initial Disclosure

    Socket reported that .NET developers who install Tracer.Fody.NLog may unknowingly leak Stratis wallet data and passwords, because the package impersonates Tracer.Fody, uses a near-match maintainer name and Cyrillic lookalikes, hides malicious code in Guard.NotNull, silently catches exceptions, and has at least 2,000 downloads.

    Show sources
    Open in new tab