Malicious NuGet Packages Target Chinese Developers, Steal Sensitive Data

Severity: High (Score: 76.5)

Sources: Cybersecuritynews, Technadu, Gbhackers, socket.dev

Summary

Five malicious NuGet packages were discovered targeting developers in the Chinese .NET ecosystem. The packages, published under the account bmrxntfj, impersonate legitimate libraries and have accumulated around 65,000 downloads. They deploy a sophisticated infostealer that targets browser credentials, SSH keys, and cryptocurrency wallets. The attack leverages extensive version manipulation to evade detection, with 219 out of 224 versions marked as 'listed: false'. The primary command-and-control domain for the stolen data is dns-providersa2.com, registered on March 12, 2026. Cybersecurity researchers have submitted takedown requests to NuGet's security team, but the packages remain active as of the latest reports. Developers are advised to use legitimate libraries and rotate credentials from potentially compromised systems. Key Points: • Five malicious NuGet packages impersonate legitimate libraries targeting Chinese developers. • The infostealer collects sensitive data, including browser credentials and crypto wallet information. • Cybersecurity teams are urged to implement detection measures and rotate credentials immediately.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• dns-providersa2.com (domain)
• T1003 - OS Credential Dumping (mitre_attack)
• T1036 - Masquerading (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• NuGet (platform)
• NET Reactor (tool)