Executive Summary

A critical supply chain attack has recently targeted the .NET development community through the NuGet package ecosystem. Malicious actors published a counterfeit version of the widely used Nethereum library, leveraging a homoglyph attack by substituting the Latin "e" with a visually identical Cyrillic "е" (Unicode U+0435) in the package name, resulting in Netherеum.All. This subtle manipulation enabled the attackers to deceive developers into integrating the malicious package into their projects. The rogue package was engineered to exfiltrate sensitive cryptocurrency wallet credentials, including mnemonic phrases, private keys, and keystore data, to a remote command-and-control (C2) server. The attackers further obfuscated their operation by artificially inflating the download count to over 11 million, creating a false sense of legitimacy and popularity. This incident underscores the escalating sophistication of supply chain threats in open-source software, particularly those targeting the rapidly growing blockchain and cryptocurrency sectors.

Threat Actor Profile

The threat actors behind the Netherеum.All campaign demonstrated a high degree of technical acumen and operational security awareness. By exploiting homoglyphs, they bypassed casual scrutiny and automated detection mechanisms, a tactic increasingly favored in supply chain attacks. The attackers operated under the publisher alias nethereumgroup and previously released another malicious package, NethereumNet, indicating a persistent focus on typosquatting and brand impersonation within the Nethereum ecosystem. While no direct attribution to a known advanced persistent threat (APT) group has been established, the campaign’s focus on credential theft and financial gain aligns with the tactics, techniques, and procedures (TTPs) of financially motivated cybercriminals. The rapid deployment and removal of the package, combined with the use of XOR-encoded C2 endpoints, suggest a well-resourced and agile adversary capable of adapting to countermeasures.

Technical Analysis of Malware/TTPs

The counterfeit Netherеum.All package was published to the NuGet repository on October 16, 2025, and remained available until its removal on October 20, 2025. The attackers employed a homoglyph attack by replacing the final "e" in "Nethereum" with the Cyrillic "е", a character visually indistinguishable from its Latin counterpart but with a different Unicode code point. This allowed the malicious package to masquerade as the legitimate Nethereum library, evading both human and automated vetting processes.

Upon installation, the package introduced a malicious payload within the function EIP70221TransactionService.Shuffle. This function contained an XOR-encoded string, which, when decoded, revealed the C2 endpoint solananetworkinstance[.]info/api/gads. The malware was engineered to harvest sensitive data, including mnemonic phrases, private keys, and keystore files, from the host environment. Once collected, this data was exfiltrated to the attacker-controlled C2 server using standard web protocols, specifically HTTP POST requests.

To enhance the perceived legitimacy of the package, the attackers orchestrated a large-scale download inflation campaign, artificially boosting the download count to 11.7 million. This tactic exploited the common heuristic among developers that high download numbers equate to trustworthiness and stability. The attackers’ previous release of NethereumNet with similar malicious capabilities further demonstrates a pattern of persistent targeting and iterative refinement of their attack methodology.

Exploitation in the Wild

The exploitation phase of the Netherеum.All campaign was characterized by a rapid and targeted approach. The primary victims were .NET developers seeking to integrate Ethereum blockchain functionality into their applications via the NuGet package manager. By leveraging the homoglyph attack, the adversaries successfully inserted their malicious package into the supply chain, where it could be unwittingly adopted by developers and subsequently deployed in production environments.

During the four-day window in which the package was available, any project that incorporated Netherеum.All was at risk of credential theft. The exfiltrated data—mnemonic phrases, private keys, and keystore files—could be used to compromise cryptocurrency wallets, resulting in direct financial losses for both developers and end users. The artificial download inflation further increased the likelihood of adoption, as developers often rely on download metrics to assess package reliability.

Detection of the malicious activity was complicated by the use of XOR encoding for the C2 endpoint and the package’s close resemblance to the legitimate Nethereum library. The attack was ultimately discovered and the package removed, but not before it had the potential to impact a significant number of projects and users.

Victimology and Targeting

The primary targets of the Netherеum.All campaign were .NET developers and organizations building applications that interact with the Ethereum blockchain. The attack specifically exploited the trust placed in the NuGet package ecosystem and the widespread use of the Nethereum library for Ethereum integration. Victims included individual developers, small startups, and potentially larger enterprises with blockchain initiatives.

The targeting strategy relied on the high visibility and popularity of Nethereum, increasing the probability that developers would inadvertently select the malicious package. The use of homoglyphs ensured that even vigilant developers could be deceived, particularly in environments where package installation is automated or where visual inspection is cursory. The theft of wallet credentials posed a severe risk, as it enabled attackers to drain cryptocurrency assets with little recourse for recovery.

Mitigation and Countermeasures

To defend against similar supply chain attacks, organizations and developers should implement a multi-layered approach to dependency management and threat detection. First, always verify the authenticity of package names and publishers, paying close attention to subtle character substitutions such as homoglyphs. Employ automated tools capable of detecting Unicode anomalies in package names and flagging suspicious dependencies.

Regularly audit all dependencies, especially those added or updated during the period of October 16–20, 2025. Remove any instances of Netherеum.All (with the Cyrillic "е") or NethereumNet from your projects immediately. Rotate all potentially exposed wallet credentials, including mnemonic phrases and private keys, and monitor for unauthorized transactions.

Network monitoring should be configured to detect and block outbound connections to known malicious domains, including solananetworkinstance[.]info. Implement strict egress filtering and anomaly detection to identify unusual data exfiltration patterns. Educate development teams about the risks of supply chain attacks and the importance of scrutinizing third-party dependencies, regardless of apparent popularity or download metrics.

Finally, maintain an incident response plan that includes procedures for rapid dependency auditing, credential rotation, and forensic analysis in the event of a suspected supply chain compromise.

References

The following resources provide additional technical details and context regarding the Netherеum.All supply chain attack:

The Hacker News: Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys

Socket.dev Blog: Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys

ReversingLabs: Homoglyph Typosquats in NuGet

Facebook: The Hacker News Post

NuGet Security Guidance: Microsoft Documentation

Nethereum Official Repository: GitHub

Socket Threat Research Team: Socket Blog

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to identify, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to proactively defend against emerging threats and ensure the integrity of their software ecosystem. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.