EXECUTIVE SUMMARY
A group of malicious NuGet packages has been identified, impersonating Chinese .NET libraries to distribute a stealer targeting browser credentials, crypto wallets, SSH keys, and local files. The packages, published under the account bmrxntfj, have accumulated approximately 65,000 downloads, putting tens of thousands of developer workstations and CI/CD build servers at risk of credential and crypto wallet theft. The stealer targets 12 browsers, eight desktop cryptocurrency wallets, five browser wallet extensions, and exfiltrates to a newly-registered C2 domain. The packages remain available on NuGet at the time of writing, and takedown requests have been submitted to the NuGet Gallery security team. Developers who work in Chinese enterprise .NET ecosystems, integrate WinForms UI components from Gitee-sourced mirrors, or pull packages from curated Chinese corporate registries are the intended victims.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A group of malicious NuGet packages has been identified, impersonating Chinese .NET libraries to distribute a stealer targeting browser credentials, crypto wallets, SSH keys, and local files. The packages, published under the account bmrxntfj, have accumulated approximately 65,000 downloads, putting tens of thousands of developer workstations and CI/CD build servers at risk of credential and crypto wallet theft. The stealer targets 12 browsers, eight desktop cryptocurrency wallets, five browser wallet extensions, and exfiltrates to a newly-registered C2 domain. The packages remain available on NuGet at the time of writing, and takedown requests have been submitted to the NuGet Gallery security team. Developers who work in Chinese enterprise .NET ecosystems, integrate WinForms UI components from Gitee-sourced mirrors, or pull packages from curated Chinese corporate registries are the intended victims.[emaillocker id="1283"]
The malware infects systems through NuGet package installations, with the payload fired through the .NET module initializer, which the CLR invokes automatically before any application code runs on first load. The initializer calls into the Reactor bootstrap, which verifies the assembly's Anti-Tamper integrity, allocates a read-write-execute memory region, decrypts the Necrobit stage-2 resource blob, and patches clrjit.dll!getJit with a hook that owns every subsequent method compilation in the process. The payload has control of the JIT pipeline and includes cross-platform code paths for Linux and macOS. The stealer uses a Reactor-protected infostealer payload, which targets saved credentials across 12 browsers, eight desktop cryptocurrency wallets, five browser wallet extensions, and exfiltrates to a newly-registered C2 domain.
This threat is significant for organisations, as it has the potential to compromise tens of thousands of developer workstations and CI/CD build servers, putting sensitive information at risk. The packages remain available on NuGet, and the stealer's evasive techniques make it difficult to detect or recover from. Organisations should take immediate action to secure their dependencies, including verifying the authenticity of NuGet packages and monitoring for suspicious activity. This can be achieved through regular patching, monitoring, backups, and endpoint protection. Additionally, organisations should be cautious when integrating WinForms UI components from Gitee-sourced mirrors or pulling packages from curated Chinese corporate registries.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1598.001 | Domain Name System (DNS) | — |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Privilege Escalation | T1055.013 | Process Injection | Process Doppelgänging |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Collection | T1539 | Steal Web Session Cookie | — |
| Credential Access | T1552.001 | Unsecured Credentials | — |
| Collection | T1560 | Archive Collected Data | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1083 | File and Directory Discovery | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/nuget-supply-chain-attack-critical-dotnet-malware-ir-packages/
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries