Executive Summary
In October 2025, cybersecurity experts identified a sophisticated supply chain attack wherein a malicious NuGet package, imitating the popular Nethereum library using a homoglyph trick, was uploaded to compromise .NET developers. The attacker distributed a typosquatted package ('Netherеum.All') containing encoded command-and-control (C2) communication that secretly harvested and exfiltrated sensitive cryptocurrency wallet credentials—including private keys and mnemonic phrases—from unsuspecting developers’ systems. The campaign demonstrates a heightened level of precision in leveraging open-source repositories for credential theft, with potential widespread financial impacts for organizations developing blockchain solutions.
This incident exemplifies the rapidly increasing risk posed by supply chain attacks exploiting trusted software ecosystems. It highlights both a surge in homoglyph-based typosquatting and a broader trend of targeting cryptocurrency assets via development toolchains—emphasizing the need for robust code provenance controls and package vetting.
Why This Matters Now
Supply chain attacks using homoglyph typosquats are on the rise, posing an urgent risk to development teams and organizations relying on open-source packages. The deceptive targeting of crypto wallet credentials in commonly used NuGet repositories underlines the need for immediate vigilance, improved package verification, and reinforced supply chain security measures to prevent financial and operational losses.
Attack Path Analysis
The attack began when developers accidentally installed a malicious, typosquatted NuGet package masquerading as Nethereum (Initial Compromise). The payload executed in victim environments, possibly gaining access to sensitive environment variables or process privileges (Privilege Escalation). The malware, once active, could scan for additional credentials or wallet keys across developer environments (Lateral Movement). It then established communication with a decoded command-and-control endpoint to receive commands and staging instructions (Command & Control). Stolen mnemonic phrases and private crypto wallet keys were exfiltrated to attacker infrastructure (Exfiltration). Finally, this resulted in theft of cryptocurrency assets and potential business disruption for affected organizations (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged a malicious, homoglyph typosquat NuGet package (Netherеum.All) to gain access when unsuspecting developers installed it.
Related CVEs
CVE-2024-21907
CVSS 7.5A vulnerability in the NuGet package manager allows for the publication of packages with names containing Unicode homoglyphs, enabling attackers to impersonate legitimate packages and distribute malicious code.
Affected Products:
Microsoft NuGet Package Manager – All versions prior to the implementation of homoglyph detection mechanisms
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Compromise Software Supply Chain
Command and Scripting Interpreter: Windows Command Shell
Obfuscated Files or Information
System Information Discovery
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Exfiltration Over C2 Channel
Credentials from Password Stores
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Maintain a Software Inventory
Control ID: 12.2.1
PCI DSS 4.0 – Protect Applications and Prevent Malicious Code
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management – Third-Party Risk
Control ID: Article 10(3)
CISA ZTMM 2.0 – Asset Management – Software Components
Control ID: 7.1.3
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Supply chain attacks targeting cryptocurrency wallets create critical risks for financial institutions managing digital assets and client crypto holdings.
Computer Software/Engineering
NuGet package typosquatting directly threatens software developers using .NET frameworks, compromising development pipelines and cryptocurrency wallet integrations.
Banking/Mortgage
Banks exploring blockchain services face heightened supply chain risks from malicious packages that steal private keys and cryptocurrency credentials.
Investment Banking/Venture
Investment firms handling cryptocurrency portfolios are vulnerable to mnemonic phrase theft through compromised development tools and blockchain integration libraries.
Sources
- Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keyshttps://thehackernews.com/2025/10/fake-nethereum-nuget-package-used.htmlVerified
- Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keyshttps://socket.dev/blog/malicious-nuget-packages-typosquat-nethereum-to-exfiltrate-wallet-keysVerified
- Vulnerabilities - Netherеum.All - NuGet | ReversingLabs Spectra Assure Communityhttps://secure.software/nuget/packages/nether%D0%B5um.all/vulnerabilitiesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress enforcement, encrypted traffic policies, and continuous anomaly detection at the cloud network layer would have limited malware movement, detected suspicious data flows, and blocked outbound exfiltration paths—even in the event of a developer workstation compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline controls identify and alert on the introduction of suspicious packages or anomalous code.
Control: Zero Trust Segmentation
Mitigation: Least-privilege segmentation restricts lateral access from developer workloads.
Control: East-West Traffic Security
Mitigation: East-west flow monitoring detects unauthorized internal movements.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound malicious traffic to unknown C2 domains is blocked and logged.
Control: Encrypted Traffic (HPE)
Mitigation: Data exfiltration attempts are encrypted and monitored for anomalies.
Automated detection and response contain post-breach activity and alert SOC teams.
Impact at a Glance
Affected Business Functions
- Software Development
- Cryptocurrency Transactions
Estimated downtime: 4 days
Estimated loss: $500,000
Sensitive cryptocurrency wallet credentials, including mnemonic phrases, private keys, and keystore data, were exfiltrated, potentially leading to unauthorized access and financial theft.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and microsegmentation to isolate developer workloads and reduce the blast radius of compromise.
- • Mandate egress controls and FQDN filtering to block unauthorized outbound C2 connections from cloud workloads.
- • Deploy inline anomaly detection and threat response capabilities to rapidly identify suspicious package installs or data transfer patterns.
- • Enable encrypted traffic visibility and packet inspection to detect and restrict data exfiltration of sensitive keys or artifacts.
- • Integrate continuous workload visibility and centralized policy management for multi-cloud developer environments to streamline rapid, policy-driven containment.
