Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords to a Russia…

Published:

15 december 2025 om 13:36:20

Alert date:

15 december 2025 om 16:01:54

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

Malicious NuGet package Tracer.Fody.NLog typosquats the legitimate Tracer.Fody library to steal Stratis cryptocurrency wallet passwords. The package uses homoglyph characters and impersonates the original maintainer with a similar username (csnemess vs csnemes). When executed, it scans for Stratis wallet files and exfiltrates wallet data and passwords to a Russian IP address. The package remained undetected on NuGet Gallery for over 5 years with approximately 2,000 downloads. This is part of a broader campaign that also includes the malicious Cleary.AsyncExtensions package targeting mnemonic phrases and passphrases.

Technical details

The malicious package Tracer.Fody.NLog typosquats the legitimate Tracer.Fody library and uses a fake maintainer handle 'csnemess' (instead of 'csnemes'). It contains a cryptocurrency wallet stealer that scans the default Stratis wallet directory (%APPDATA%\StratisNode\stratis\StratisMain), reads *.wallet.json files, and exfiltrates wallet data along with passwords to a threat actor-controlled server in Russia at 176.113.82.163:4444. The malware uses homoglyphs (Cyrillic characters that resemble Latin letters) in identifiers and wires itself into the generic Guard.NotNull<T> helper. When the helper receives an object with a WalletPassword property, it triggers the malicious background routine that sends truncated wallet JSON fragments and passwords via HTTP GET requests to the C2 server.

Mitigation steps:

1. Immediately audit all .NET projects for the presence of Tracer.Fody.NLog and Cleary.AsyncExtensions packages and remove them if found. 2. Verify that all Fody-related packages in your dependencies come from the legitimate maintainer 'csnemes', not 'csnemess'. 3. Implement Socket's security tooling including the GitHub App for real-time pull-request scanning, CLI for local development scanning, and browser extension for registry page warnings. 4. Monitor network traffic for connections to 176.113.82.163:4444. 5. If using Stratis wallets, check for unauthorized access and consider rotating wallet credentials if the malicious package was present. 6. Implement supply chain security measures to detect typosquatted packages and suspicious maintainer accounts. 7. Use tools that can detect homoglyph-based obfuscation in package identifiers.

Affected products:

Tracer.Fody.NLog (malicious package)
Tracer.Fody (legitimate package being impersonated)
Stratis wallet software
.NET applications using the malicious package
Cleary.AsyncExtensions (related malicious package)

Related CVE's:

Related threat actors:

IOC's:

Tracer.Fody.NLog (malicious NuGet package), Cleary.AsyncExtensions (malicious NuGet package), csnemess (fake NuGet maintainer alias), stevencleary (fake NuGet maintainer alias), 176.113.82.163 (C2 server IP), hxxp://176.113.82.163:4444 (C2 server URL), hxxp://176.113.82.163:4444/KV/addentry (exfiltration endpoint), WIN-FTDPCG4548K (RDP hostname on C2 server)

This article was created with the assistance of AI technology by Perceptive.