VERY IMPORTANT

ReversingLabs discovered malicious packages on NuGet targeting the crypto ecosystem. The campaign, starting in July 2025, involved 14 packages impersonating legitimate crypto-related tools. The malware aimed to steal crypto funds by redirecting transactions or exfiltrating secrets for wallet access. Techniques used to appear trustworthy included homoglyphs, version bumping, and inflating download counts. The packages were divided into three groups: wallet stealers, crypto-funds stealers, and Google Ads OAuth stealers. This campaign highlights the ongoing exploitation of trust in the software supply chain, potentially affecting entire projects and communities relying on compromised dependencies.