Typosquatted NuGet Poses as Tracer.Fody to Steal Crypto

A long-lived rogue NuGet package has been caught impersonating the .NET tracing library Tracer.Fody and its maintainer to deploy a cryptocurrency wallet stealer targeting Stratis wallets.

Key details:

• Package and publisher: Tracer.Fody.NLog published by csnemess, mimicking the legitimate maintainer csnemes
• Timeline: First published on February 26, 2020; remained on NuGet for nearly six years and was still available at time of writing
• Downloads: At least 2,000 total; 19 in the last six weeks for version 3.2.4
• What it does: Presents as a standard .NET tracing integration but steals cryptocurrency wallet data
• How it works: The embedded Tracer.Fody.dll scans the default Stratis wallet directory on Windows (%APPDATA%\StratisNode\stratis\StratisMain), reads *.wallet.json files and in-memory passwords, then exfiltrates data and the wallet password to infrastructure in Russia at 176.113.82[.]163
• Stealth tactics: Typosquatting the maintainer name (csnemes vs. csnemess), use of Cyrillic lookalike characters in source, and hiding malicious logic inside a generic helper (Guard.NotNull) executed during normal program operation
• Error handling: All exceptions are silently caught so the host application keeps running even if exfiltration fails, minimizing chances of detection
• Related activity: The same IP was linked to a December 2023 NuGet impersonation (Cleary.AsyncExtensions under the alias stevencleary) that siphoned wallet seed phrases by posing as the AsyncEx library

Why it matters: The case illustrates how malicious typosquats mirroring legitimate tools can quietly persist across open-source ecosystems. Defenders should expect similar activity and follow-on implants, with likely targets including logging and tracing integrations, argument validation libraries, and utility packages commonly used in .NET projects.

Source: The Hacker News