Malicious NuGet Packages Target Chinese Developers, Steal Sensitive Data

Malicious NuGet Packages Target Chinese Developers, Steal Sensitive Data

First seen 7 May 2026, 11:51 UTC GbhackersTechnaduCybersecuritynewssocket.dev 84% similarity 76.5

Article Content

Browse articles
ThreatCluster

Five malicious NuGet packages were discovered targeting developers in the Chinese .NET ecosystem. The packages, published under the account bmrxntfj, impersonate legitimate libraries and have accumulated around 65,000 downloads. They deploy a sophisticated infostealer that targets browser credentials, SSH keys, and cryptocurrency wallets. The attack leverages extensive version manipulation to evade detection, with 219 out of 224 versions marked as 'listed: false'. The primary command-and-control domain for the stolen data is dns-providersa2.com, registered on March 12, 2026. Cybersecurity researchers have submitted takedown requests to NuGet's security team, but the packages remain active as of the latest reports. Developers are advised to use legitimate libraries and rotate credentials from potentially compromised systems.

Key Points: • Five malicious NuGet packages impersonate legitimate libraries targeting Chinese developers. • The infostealer collects sensitive data, including browser credentials and crypto wallet information. • Cybersecurity teams are urged to implement detection measures and rotate credentials immediately.

ThreatCluster AI

Timeline

2026-03-12
C2 domain registered
The command-and-control domain dns-providersa2.com was registered, used for data exfiltration.
Technadu
2026-04-14
Malicious packages published
Five rogue NuGet packages were published, targeting Chinese .NET developers with a sophisticated infostealer.
Technadu
2026-05-07
Takedown requests submitted
Socket researchers submitted takedown requests to NuGet's security team to remove the malicious packages.
Technadu

Community

Browse all →