The rapid expansion of digital currencies has seen a corresponding rise in tactics employed by cybercriminals to siphon off assets. Recently, a significant cybersecurity threat emerged on NuGet, a widely utilized platform for software developers seeking building blocks for their applications. This threat was identified by ReversingLabs, a reputable software security firm, and publicly disclosed on Monday.
Deceptive Tactics to Gain Trust
Researchers at ReversingLabs have revealed that since July 2025, a group of hackers has been introducing “poisoned” code packages masquerading as reputable tools. These attackers not only embedded malicious code but also employed psychological strategies to enhance their credibility.
One key method highlighted is the use of homoglyphs—characters that appear identical to the human eye but are recognized differently by computers. For example, the package Netherеum.All included a specially crafted “е” intended to mimic a well-known Ethereum library, adding an element of authenticity to their scheme.
To further deceive potential victims, the hackers engaged in version bumping, releasing multiple updates in rapid succession to create the illusion of an active and reliable project. Some packages displayed fictitious download counts in the millions, misleading developers into believing the code was already vetted by the community.
ReversingLabs noted on social media that they had uncovered a malicious NuGet package impersonating “Netherum,” a popular Ethereum library, which falsely boasted over 10 million downloads—numbers deemed artificially inflated.
Identity of the Perpetrators
Investigations into the origin of these attacks revealed that a package named SolnetAll had been removed before a thorough analysis could be conducted. However, analysts identified a connection to an author operating under the name DamienMcdougal.
This individual is of particular interest due to their association with other nefarious packages, such as NBitcoin.Unified. It appears this group of attackers is resilient, often adopting new aliases to evade detection, as noted by researchers in a detailed blog post on their findings.
Tactics Used to Divert Funds
ReversingLabs identified 14 malicious packages categorized into three distinct groups. The first consisted of nine packages designed to steal seed phrases and private keys—critical components for controlling cryptocurrency wallets. The injected malicious code remains dormant until the user is at their most vulnerable.
The second group, which includes the Coinbase.Net.Api package, utilized a different tactic: upon a user attempting to transfer cryptocurrency, the malware would silently alter the destination address to that of the hacker’s wallet for any transaction exceeding $100.
Additionally, the GoogleAds.API package aimed to pilfer OAuth tokens. These tokens grant hackers access to Google Ads accounts without requiring a password, posing a risk of unauthorized spending on fraudulent advertisements.
Wider Implications for the Community
The ramifications of these attacks extend beyond individual developers. Since these compromised packages are often integrated into larger applications, a developer may inadvertently include the malicious code in a product offered to the market, thereby disseminating the threat to thousands of unsuspecting users. This case starkly illustrates that trust remains a critical yet vulnerable aspect of digital security.
