Rogue NuGet Package Mimics Tracer.Fody, Steals Crypto Wallet Data

Rogue NuGet Package Poses as Tracer.Fody

A malicious NuGet package, “Tracer.Fody.NLog,” successfully impersonated the legitimate .NET tracing library “Tracer.Fody” for nearly six years, impacting over 2,000 projects. Security researchers discovered the package steals Stratis cryptocurrency wallet files and passwords, exfiltrating data to infrastructure in Russia.

Why This Matters

Current software supply chain security relies heavily on trust but often fails to detect subtle malicious modifications like typosquatting and character substitution. The potential scale of compromise is substantial, as demonstrated by this package’s long undetected presence and successful theft of sensitive cryptocurrency wallet data; the exfiltration of just a handful of wallets can result in significant financial loss.

Key Insights

• Six-year undetected presence: The package remained active on NuGet for almost six years before detection, 2020-2025.
• Typosquatting: The malicious package used a subtly different username (“csnemess” vs “csnemes”) to mimic the legitimate maintainer.
• IP Address Reuse: The same Russian-hosted IP address (176.113.82[.]163) was linked to a similar NuGet impersonation attack in December 2023.

Working Example

(No code provided in the context)

Practical Applications

• Use Case: Developers integrating tracing libraries into .NET projects unknowingly install a malicious package, exposing their Stratis wallets.
• Pitfall: Over-reliance on package names without verifying publisher legitimacy can lead to supply chain compromise and data theft.

References:

• https://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.html