top of page
perceptive_background_267k.jpg

Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.

Published:

6 May 2026 at 21:00:10

Alert date:

6 May 2026 at 23:05:11

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Five malicious NuGet packages published under account bmrxntfj impersonate Chinese .NET UI libraries to distribute a credential and cryptocurrency wallet stealer. The packages use typosquatting techniques and .NET Reactor protection to target browser credentials, crypto wallets, SSH keys, and local files. With approximately 65,000 downloads, the campaign affects thousands of developer workstations and CI/CD servers. The stealer targets 12 browsers, 8 desktop crypto wallets, and 5 browser wallet extensions, exfiltrating data to a C2 domain. The threat actor uses version rotation as an active evasion technique to invalidate hash-based IOCs.

Technical details

Five malicious NuGet packages published under account 'bmrxntfj' typosquat Chinese .NET UI libraries using .NET Reactor protection. The packages graft infostealer payloads onto decompiled legitimate libraries. Attack chain: Module initializer fires on DLL load, Reactor bootstrap verifies integrity, allocates RWX memory, decrypts Necrobit stage-2 payload, patches clrjit.dll with JIT hook. Payload targets 12 browsers, 8 desktop crypto wallets, 5 browser extensions. Uses string-split evasion, cross-platform support (Windows/Linux/macOS), process injection via SharpInjector, stages data in C:\ProgramData\Microsoft OneDrive\keys.dat, exfiltrates to dns-providersa2[.]com. Version rotation technique keeps only one version listed while accumulating 65,000+ downloads across 224 total versions.

Mitigation steps:

Check project files and packages.lock.json for any reference to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI. If found, treat machine as compromised and rotate all credentials. Block DNS resolution of dns-providersa2[.]com. Alert on connections to 62[.]84[.]102[.]85. Alert on file creation at C:\ProgramData\Microsoft OneDrive\keys.dat. Alert on CoCreateInstance calls requesting Edge IElevator interface {c9c2b807-7731-4f34-81b7-44ff7779522b} from non-Edge processes. Alert on CI/build machines loading DLLs matching the provided SHA-256 hashes. Flag outbound HTTP requests with X-[a-z]{3} headers from build/developer machines. Suspend bmrxntfj account and delist all five package IDs. Search registry for additional packages using commit hash efb675de4b3af3dac3c9cae91075fd7cc2f4f98e, Iplusus tag, or git[.]justdotrip[.]com repository URL.

Affected products:

IR.DantUI
IR.Infrastructure.Core
IR.Infrastructure.DataService.Core
IR.iplus32
IR.OscarUI
Google Chrome
Microsoft Edge
Brave
Opera
Vivaldi
Epic Privacy
Torch
Comodo
Slimjet
Iridium
7Star
AVG Secure Browser
Firefox
Mozilla
Thunderbird
MetaMask
TronLink
Phantom
Trust Wallet
Coinbase Wallet
Exodus
Electrum
Atomic
Guarda
Coinomi
Ledger
Jaxx
Binance
Steam
Outlook

Related links:

https://socket.dev/nuget/package/ir.infrastructure.core
https://socket.dev/nuget/package/ir.infrastructure.dataservice.core
https://socket.dev/nuget/package/ir.dantui
https://socket.dev/nuget/package/ir.iplus32/overview/2.1.57
https://socket.dev/nuget/package/ir.oscarui
https://socket.dev/features/github
https://socket.dev/features/cli
https://socket.dev/blog/socket-firewall-enterprise
https://chromewebstore.google.com/detail/socket-security/jbcobpbfgkhmjfpjjepkcocalmpkiaop
https://socket.dev/blog/socket-mcp

Related CVE's:

Related threat actors:

IOC's:

dns-providersa2[.]com, https://dns-providersa2[.]com/check, https://dns-providersa2[.]com/upload, 62[.]84[.]102[.]85, justdotrip[.]com, 47[.]100[.]60[.]237, git[.]justdotrip[.]com, 1-you.njalla[.]no, 2-can.njalla[.]in, 3-get.njalla[.]fo, C:\ProgramData\Microsoft OneDrive\keys.dat, e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e, 8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf, 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c, b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9, b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa, 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824, 596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1, nkbihfbeogaeaoehlefnkodbefgpgknn, ibnejdfjmmkpcnlpebklmnkoeoihofec, bfnaelmomeimhlpmgjnjophhpkkoljpa, egjidjbpglichdcondbcbdnbeeppgdph, hnfanknocfeofbddgcijnmhnfnkdnaad, {c9c2b807-7731-4f34-81b7-44ff7779522b}, HTTP header pattern: X-[a-z]{3}, zlUkMywGKDNbeJxH, efb675de4b3af3dac3c9cae91075fd7cc2f4f98e

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page