An uncovered five malicious NuGet packages published under the threat actor account bmrxntfj that typosquat widely used Chinese .NET UI and infrastructure libraries while silently deploying an advanced infostealer targeting developer workstations and CI/CD build pipelines worldwide.
The five malicious packages IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core and IR.iplus32 have collectively amassed approximately 64,784 downloads across 224 published versions dating back to September 2025.
All five packages remain live on the NuGet Gallery at the time of writing, formal takedown requests to Microsoft’s NuGet security team. The scale of exposure places tens of thousands of developer workstations and enterprise CI/CD servers at direct risk of credential theft and cryptocurrency wallet compromise.
Malicious NuGet Packages
The threat actor took a more targeted approach by impersonating Chinese enterprise .NET libraries that specific developer communities are already consuming internally.
IR.DantUI and IR.OscarUI wrap AntdUI, a legitimate MIT-licensed WinForms component library hosted on Gitee notably, “DantUI” is a single-character anagram of “AntdUI.”
The remaining three packages are IR.Infrastructure.Core, IR.Infrastructure.DataService.Core and IR.iplus32 mirror namespaces consistent with internal Chinese enterprise infrastructure patterns, making the package names highly plausible to developers in those environments and dramatically reducing suspicion at install time.
One of the most technically sophisticated elements of this campaign is its deliberate evasion of file-hash-based IOC detection. Of the 224 total published versions, 219 carry listed: false, hiding them from public NuGet search while keeping them installable via direct version-pinned commands.
The operator maintains only one visible version at a time, then rotates to a new version number, publishing version 2.1.55, then rotating to 2.1.56 and 2.1.57 after analysis begins, invalidating previously generated DLL hashes.
This rotation cycle has been active for at least seven months, with all five version 2.1.55 packages published within a 12.78-second scripted window on April 14, 2026, in dependency-graph-respecting order.
The attack chain is fully automated and requires no user interaction. The payload fires through the .NET module initializer, which the CLR invokes automatically before any application code executes on first DLL load.
Each package uses .NET Reactor’s Necrobit protection to wrap a decompiled copy of the legitimate library, then inserts a bootstrap hook that performs the following sequence upon load: verifies assembly anti-tamper integrity using an embedded RSA-1024 public key, allocates read-write-execute memory via VirtualAlloc(PAGE_EXECUTE_READWRITE).
Decrypts the stage-2 encrypted method IL into that region, and patches clrjit.dll!getJit with a 4-byte JMP to hijack the CLR’s entire JIT compilation pipeline.
Critically, the same attack chain is fully cross-platform on Linux; it writes to /proc/self/mem, on macOS, it resolves libSystem and libclrjit, meaning any Linux or macOS CI runner loading an IR.* package is equally compromised.
API calls OpenProcess are assembled at runtime from split string literals ("Open ".Trim() + "Process") to evade static analysis scanners.
The recovered stealer payload, we4ftg.exe (786 KB .NET MSIL), was extracted from a live memory dump after Reactor decryption, leaving all class names and configuration strings recoverable in plaintext. The stealer’s reach is extensive:
- 12 Chromium-family browsers targeted: Chrome, Edge, Brave, Opera, Vivaldi, Epic Privacy, Torch, Comodo, Slimjet, Iridium, 7Star, and AVG Secure Browser, including both Chrome v10 DPAPI and v20 AppBound encryption (introduced in Chrome 127 in July 2024)
- 5 browser crypto wallet extensions: MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet
- 8 desktop crypto wallets: Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance
- Additional targets: SSH private keys (
id_rsa), Outlook email profiles, Steam session files, and the full contents of Documents, Desktop, and Downloads folders
All harvested data is staged at C:\ProgramData\Microsoft OneDrive\keys.dat abusing a real OneDrive directory where legitimate OneDrive never writes such a file before being POST-exfiltrated to https://dns-providersa2[.]com/upload.
Each HTTP request uses a randomly generated X-{3 random letters} header to defeat static network-layer detection signatures.
The primary C2 domain, dns-providersa2[.]com, was registered on March 12, 2026, 33 days before the NuGet publish burst and resolves to 62[.]84[.]102[.]85, a VDSINA VPS in Amsterdam registered to a UAE shell company, with nameserver authority delegated to Njalla, a Nevis-incorporated privacy registrar routinely used by ransomware and stealer operators.
Socket attributed the campaign across VirusTotal using the unique RSA-1024 modulus embedded in IR.iplus32’s Reactor bootstrap (base64 prefix: zlUkMywGKDNbeJxH), which pivoted to four operator-owned artifacts first seen as early as March 7, 2026.
Including a 100 MB live memory dump and fake Windows system DLLs with crowdsourced YARA labels, including Lumma, Quantum, AgentRacoon, and ArrowRAT. Two nuspec files also reference git[.]justdotrip[.]com (hosted at 47[.]100[.]60[.]237 on Alibaba Cloud Shanghai), likely the threat actor’s private development server.
Mitigation
Organizations using .NET should act immediately on the following:
- Audit all project files and
packages.lock.jsonfor any IR.* package references; treat any matching machine as fully compromised - Rotate all credentials accessible from affected machines: browser passwords, API keys, SSH private keys, crypto wallet seeds, and cloud credentials
- Block DNS resolution of
dns-providersa2[.]comand outbound connections to62[.]84[.]102[.]85 - Alert on file creation at
C:\ProgramData\Microsoft OneDrive\keys.dat, as legitimate, OneDrive never writes this file - Alert on
CoCreateInstancecalls requesting the Microsoft Edge IElevator IID{c9c2b807-7731-4f34-81b7-44ff7779522b}from any non-Edge process - Flag outbound HTTP requests carrying headers matching the
X-[a-z]{3}pattern from build or developer machines
FAQ
Q1: Does simply running nuget restore trigger the malicious payload?
Yes, restoring and loading the DLL in any .NET host process automatically fires the module initializer, without any additional install step or user interaction.
Q2: Are Linux and macOS CI/CD environments also at risk from these packages?
Yes, the payload contains fully wired cross-platform code paths targeting /proc/self/mem on Linux and libSystem/libclrjit on macOS, making all major operating systems vulnerable.
Q3: How did Socket attribute all five packages to a single threat actor?
Socket pivoted on the unique RSA-1024 modulus embedded by the .NET Reactor operator-specific per-license, which linked all five packages to the same VirusTotal cluster of malicious artifacts.
Q4: What makes this campaign harder to detect than typical supply chain attacks?
Version rotation across 219 unlisted package versions continuously invalidates file-hash-based IOCs, while string-split API name assembly and randomized HTTP headers evade both static and network-layer detection tools.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
