Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious NuGet supply-chain campaign targeting crypto tools and Google Ads OAuth

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

14 malicious NuGet packages were published to impersonate crypto tooling and redirect funds or steal private keys, seed phrases, and Google Ads OAuth data, creating a supply-chain risk for developers. The packages were uploaded from eight different accounts and were designed to activate when installed and embedded in other applications. Some payloads redirected transfers to attacker-controlled wallets when the amount exceeded $100. The campaign dates back to July 2025.

Related Happenings

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

Ghost campaign malicious npm supply-chain operation

Campaign
First: 24.03.2026 16:30 Last: 24.03.2026 16:30 Sources 1

About this happening: A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...

Open Happening

Graphalgo malicious npm and PyPI RAT downloader packages

Malware Activity
First: 14.02.2026 00:35 Last: 14.02.2026 00:35 Sources 1

About this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...

Latest development: 29.04.2026 17:43

North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.

Open Happening

Lazarus Group graphalgo recruitment-themed package campaign

Campaign
First: 12.02.2026 18:55 Last: 12.02.2026 18:55 Sources 1

About this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...

Open Happening

Timeline

  1. 22.12.2025 18:28 2 articles · 5mo ago

    ReversingLabs discloses malicious NuGet packages targeting crypto tools and Google Ads OAuth

    Campaign Scope Update

    ReversingLabs disclosed 14 malicious NuGet packages published from eight different accounts that impersonate Nethereum and other cryptocurrency-related tools, redirect transaction funds to attacker-controlled wallets when transfers exceed $100, or exfiltrate private keys, seed phrases, and Google Ads OAuth data. The campaign dates back to July 2025 and uses package installation and embedding in developer applications to trigger the payloads.

    Show sources
    Open in new tab