A new cybersecurity probe revealed an extensive campaign focused on users of Ethereum-based tools. The campaign included 14 malicious NuGet packages designed to steal credentials, API keys, and connection strings. These packages impersonate Nethereum, a popular .NET library for Ethereum, in addition to other cryptocurrency-related tools. This campaign attempts to redirect transaction funds to wallets controlled by attackers. Second, it has raised huge alarms within the developer community.
The bad actor activity dates back to July 2025, with the packages growing explosively, reaching a high of 56,000 downloads. By focusing on malware, ReversingLabs pointed out a disturbing trend. They announced a series of eight distinct accounts that were publishing these harmful packages, with names such as binance.csharp, bitcoincore, bybitapi.net, and coinbase.net.api. Perhaps most interestingly, one of those packages: “lotusbail,seiren_primrose” had 711 downloads in the last week alone.
Payload and Methods of Attack
The main objective of the malicious packages seems to be enabling redirection of funds in transactions over $100. When users use the compromised software, it exfiltrates their private keys and seed phrases. This breach pretty much ensures that their cryptocurrency wallets are at risk.
“When you use this library to authenticate, you’re not just linking your application — you’re also linking the threat actor’s device.” – Tuval Admoni
The fraudsters employ a range of tactics to artificially increase download numbers. That allows them to keep up appearances of being actively maintained and hide their malicious purpose. They often release tens or hundreds of new versions in quick order, fostering the impression that there’s continued support and updating.
No sooner has a user authenticated via the library than the malware goes to work, intercepting messages and credentials. This advanced capability enables attackers to extract sensitive information without being detected.
“The malware wraps the WebSocket client, so once you authenticate and start sending/receiving messages, the interception kicks in.” – Idan Dardikman
Security Implications
This campaign is a great reminder on just how big of a threat software supply chain attacks on our dependencies have become. Yet these threats are not caught by traditional security mechanisms. Because they use static analysis approaches that pass code that works, but never review the intentions behind that code.
“Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it. Reputation systems have seen 56,000 downloads and trust it. The malware hides in the gap between ‘this code works’ and ‘this code only does what it claims.’” – Koi
Experts also caution that these advanced methods contribute to creating an environment where developers face mounting challenges to test and validate the safety of their applications. The effects go beyond monetary damage. When hacker access to user data allows for horrific privacy breaches, the problem only intensifies.
Recommendations for Developers
Given the above implications, developers implementing cryptocurrency exchanges or wallets using .NET libraries should beware and avoid by all possible means. Start thinking about using an advanced security approach. Examine package provenance and images use code review standards to catch known vulnerabilities.
Continually learning about and identifying new threats is an important practice for developers. Regularly updating dependencies and projects and leveraging security scanning tools like Dependabot can help projects proactively mitigate risks associated with supply chain attacks.
“Supply chain attacks aren’t slowing down – they’re getting better.” – Koi