Crypto Heist in Code: How Malicious NuGet Packages Targeted Developers and Their Wallets

It started like any other Monday for many software developers - until a trusted toolbox turned traitor. Behind the scenes of the popular NuGet repository, a silent digital heist was underway. Packages that seemed legitimate, boasting millions of downloads and familiar names, were in fact poisoned traps. The attackers? Cunning, persistent, and masters of disguise, they leveraged every trick in the cybercriminal playbook to steal cryptocurrency and ad data, exposing the hidden dangers lurking in the very tools developers rely on.

Fast Facts

• 14 malicious packages were discovered on NuGet, a repository for software building blocks.
• Attackers used visual “homoglyph” tricks and fake download counts to mimic trusted libraries.
• Malicious code targeted cryptocurrency seed phrases, private keys, and Google Ads accounts.
• Some attacks swapped wallet addresses mid-transaction, diverting funds to criminals.
• Infection risk extended “downstream” to thousands of users through embedded code.

The Anatomy of a Code Con

The recent NuGet incident, uncovered by security firm ReversingLabs, reads like a cybercrime thriller. Since July 2025, hackers have quietly seeded the repository with 14 booby-trapped packages, each crafted to blend in with popular developer tools. The deception ran deep: attackers deployed “homoglyphs” - subtle character swaps like a Cyrillic ‘е’ for a Latin ‘e’ - to create package names almost indistinguishable from the real thing. ‘Netherеum.All’, for example, impersonated a well-known Ethereum library with a single, almost invisible character difference.

But the ruse didn’t stop at names. The hackers artificially inflated download counts into the millions and pushed rapid-fire updates (“version bumping”) to mimic the activity of healthy, reliable projects. The result? Even seasoned developers could be fooled into trusting and integrating these poisoned packages.

The payloads were as varied as they were dangerous. Nine packages specialized in stealing the “seed phrases” and private keys that unlock cryptocurrency wallets - information that, if compromised, allows attackers to drain entire accounts. Other packages, like Coinbase.Net.Api, monitored outgoing transactions and, for any transfer over $100, quietly swapped the recipient address for the attacker’s wallet, redirecting funds in real time. Meanwhile, the GoogleAds.API package targeted OAuth tokens, enabling attackers to hijack Google Ads accounts and potentially rack up fraudulent charges.

Tracing the perpetrators, researchers linked several packages to an author alias “DamienMcdougal,” a name previously associated with other theft-focused campaigns. The attackers showed agility, deleting some packages when under scrutiny and reappearing with new aliases, a classic cat-and-mouse game in the world of supply chain attacks.

Ripple Effects: When Trust Becomes a Threat

Perhaps the most insidious aspect of this campaign is its potential for collateral damage. Because developers often incorporate third-party packages into their own software, a single malicious library can infect countless downstream applications and users. The very openness and trust that power the developer community became the attackers’ weapon of choice.

As digital currencies grow in popularity and value, so too does the sophistication of those seeking to steal them. This incident is a stark reminder: in the world of software supply chains, trust is both the foundation and the Achilles’ heel. Vigilance isn’t optional - it’s essential.

WIKICROOK

• NuGet: NuGet is an online platform and package manager that lets .NET developers share, download, and manage reusable code libraries for their projects.
• Homoglyph: Homoglyphs are visually similar but technically different characters used in cyberattacks to disguise malicious links, domains, or code, tricking unsuspecting users.
• Seed Phrase: A seed phrase is a set of words that acts as the master key to a crypto wallet. Anyone with it can access and control your funds.
• OAuth Token: An OAuth token is a digital key that lets apps securely access your data without needing your password each time.
• Version Bumping: Version bumping means often updating software version numbers to seem active or secure, sometimes misleading users about actual changes or security updates.