Rogue NuGet Impersonates Tracer.Fody, Orchestrates Multi-Year Crypto Wallet Theft
Executive Summary
Between February 2020 and December 2025, a malicious NuGet package named "Tracer.Fody.NLog" posed as the legitimate .NET tracing library, Tracer.Fody, and was covertly distributed via typosquatting and mimicking developer identities. The package, uploaded by a threat actor under the handle "csnemess," evaded detection for almost six years, collecting over 2,000 downloads. Instead of offering legitimate functionality, this package deployed a wallet stealer: scanning the default Stratis wallet directory on Windows systems, exfiltrating wallet data and passwords to threat actor infrastructure hosted in Russia, with attackers leveraging crafted code and hidden routines to bypass superficial code reviews.
The prolonged success of this attack underscores the persistent risk supply chain threats pose to open-source ecosystems, especially for developer tools and libraries. It highlights attackers’ sophistication in mimicking trusted maintainers, the difficulty of detecting such manipulation, and ongoing regulatory and security pressures to improve package repository hygiene and detection.
Why This Matters Now
With the increase in sophisticated supply chain attacks targeting developer ecosystems, incidents like this highlight the urgency for organizations to improve dependency management and continuously monitor open-source packages. The ongoing threats to cryptocurrency holders and developers demand stricter safeguards and greater awareness.
Attack Path Analysis
The attack commenced when developers unknowingly installed a malicious NuGet package that impersonated a legitimate library, granting adversaries access to the system. The malicious code operated within normal privilege boundaries, quietly scanning for cryptocurrency wallet files. No further privilege escalation or pivoting was required as the payload executed in user context and targeted local files. Lateral movement was not explicitly observed, but the infected environment could potentially access additional assets if misconfigured network permissions existed. The malware established command and control by exfiltrating stolen wallet data via outbound connections to threat actor infrastructure. Sensitive wallet and password data was transmitted externally, causing significant data loss. While the main impact was theft of digital assets, the unobtrusive nature of the attack increased the risk of follow-on compromise or reuse of sensitive keys.
Kill Chain Progression
Initial Compromise
Description
Developers downloaded and integrated a typosquatted NuGet package (“Tracer.Fody.NLog”), resulting in unintentional installation of malicious code within build and runtime environments.
Related CVEs
CVE-2025-22230
CVSS 9.3A malicious NuGet package, Tracer.Fody.NLog, masquerades as a legitimate .NET tracing library to exfiltrate Stratis cryptocurrency wallet data.
Affected Products:
NuGet Tracer.Fody.NLog – 0.0.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
These ATT&CK techniques capture core supply chain, masquerading, defense evasion, discovery, and exfiltration activities; may expand with additional STIX enrichment.
Supply Chain Compromise: Compromise Software Supply Chain
Compromise Client Software Binary
Application Layer Protocol: Web Protocols
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Masquerading: Match Legitimate Name or Location
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
System Checks
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Tamper Detection Mechanisms
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Third-party Risk Management
Control ID: Article 27
CISA Zero Trust Maturity Model (ZTMM 2.0) – Asset and Supply Chain Risk Management
Control ID: Asset Management – Supply Chain Security
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting NuGet packages directly threaten software development workflows, requiring enhanced package validation and egress security controls.
Financial Services
Cryptocurrency wallet theft capabilities pose direct financial risks, demanding strengthened threat detection and anomaly response systems for digital asset protection.
Information Technology/IT
Typosquatting attacks exploit IT infrastructure dependencies, necessitating zero trust segmentation and multicloud visibility controls across development environments.
Cybersecurity
Supply chain compromises undermine security tool integrity, requiring enhanced encrypted traffic monitoring and east-west traffic security for defensive systems.
Sources
- Rogue NuGet Package Poses as Tracer.Fody, Steals Cryptocurrency Wallet Datahttps://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.htmlVerified
- Malicious NuGet Package Steals Crypto Wallet Data for Over 5 Yearshttps://www.webpronews.com/malicious-nuget-package-steals-crypto-wallet-data-for-over-5-years/Verified
- Malicious NuGet Package Uses .NET Logging to Steal Crypto Walletshttps://gbhackers.com/malicious-nuget-package/Verified
- Malicious NuGet Package Uses .NET Logging Tool to Steal Cryptocurrency Wallet Datahttps://cybersecuritynews.com/malicious-nuget-package-uses-net-logging-tool/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress security, inline threat detection, and east-west traffic controls would have limited the exposure of sensitive wallet data, detected malicious exfiltration attempts, and prevented unmonitored outbound connections to attacker infrastructure.
Control: Multicloud Visibility & Control
Mitigation: Greater visibility into all software dependencies and inbound code artifacts.
Control: Zero Trust Segmentation
Mitigation: Enforced least privilege and workload segmentation would have limited file and credential access.
Control: East-West Traffic Security
Mitigation: Workload-to-workload network movement detected or blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic prevented or flagged for immediate response.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Anomalous exfiltration attempts detected and prevented in real time.
Rapid alerting on abnormal file access or outbound activity reduces dwell time and limits total loss.
Impact at a Glance
Affected Business Functions
- Software Development
- Cryptocurrency Transactions
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access and exfiltration of Stratis cryptocurrency wallet data, including wallet passwords, leading to potential financial theft and compromise of sensitive information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and microsegmentation to isolate sensitive developer environments and limit attack blast radius.
- • Enforce egress filtering and centralized outbound policy to restrict unauthorized communications to the internet and flag risky destinations.
- • Deploy inline IPS and cloud-native firewalls for real-time inspection, detecting and blocking malicious payloads or exfiltration attempts.
- • Enhance visibility across multicloud and hybrid environments to identify anomalous package downloads, dependency changes, and unexpected access patterns.
- • Establish robust threat detection and incident response workflows with continuous baselining to rapidly contain new supply chain threats.
