Cybersecurity researchers have identified a sophisticated supply chain attack targeting the NuGet package manager. Malicious actors have distributed a fake Nethereum package, using a homoglyph character to impersonate the legitimate library. This deceptive package was designed to steal sensitive cryptocurrency wallet keys from unsuspecting developers.

Key Takeaways

• A fake Nethereum NuGet package, "Netherеum.All," was discovered using a Cyrillic homoglyph to mimic the legitimate library.

• The package aimed to steal cryptocurrency wallet keys, including mnemonic phrases, private keys, and keystore data.

• Attackers artificially inflated download counts to create a false sense of legitimacy.

• The NuGet platform's lack of strict naming conventions contributed to the vulnerability.

The Homoglyph Attack Explained

The discovered malicious package, "Netherеum.All," employed a clever trick to evade detection. It replaced the final 'e' in "Nethereum" with a visually identical Cyrillic homoglyph character (U+0435). This subtle alteration, often missed during casual inspection, allowed the fake package to appear legitimate in search results and developer downloads.

Stealing Sensitive Data

Once installed, the malicious package contained functionality within a function named . This function was designed to decode an XOR-encoded string, extract the command-and-control (C2) server address (solananetworkinstance[.]info/api/gads), and exfiltrate critical wallet information. This included mnemonic phrases, private keys, and keystore data, effectively compromising users' cryptocurrency holdings.

Deceptive Tactics and Platform Vulnerabilities

To further enhance its credibility, the threat actor artificially inflated the download count of the "Netherеum.All" package, claiming an improbable 11.7 million downloads. This was achieved by scripting automated downloads through NuGet's API, creating a false impression of popularity and trustworthiness. Security researchers noted that this tactic boosts the package's visibility in search results sorted by relevance.

The NuGet package manager has been identified as particularly vulnerable to such attacks due to its lenient naming policies. Unlike other repositories that enforce ASCII-only naming, NuGet permits a wider range of characters, opening the door for homoglyph and typosquatting attacks. The package was uploaded on October 16, 2025, by a user named "nethereumgroup" and was removed by NuGet four days later for violating terms of use. The same threat actor had previously uploaded another malicious package, "NethereumNet," which was also removed.

Mitigation and Best Practices

To combat these types of supply chain attacks, developers are urged to exercise extreme caution when selecting and downloading third-party libraries. Key mitigation strategies include:

• Scrutinize Publisher Identity: Always verify the publisher of a package.

• Monitor Download Counts: Be wary of sudden, unusually high download surges for new or unfamiliar packages.

• Inspect Package Contents: Carefully review the code and dependencies of libraries before integration.

• Network Traffic Monitoring: Watch for anomalous network activity originating from integrated libraries.

This incident highlights the ongoing threat of supply chain attacks and the importance of robust security practices within the software development ecosystem. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys, The Hacker News.