"Hackers Target .NET Developers with Malicious NuGet Packages"

Threat actors are delivering cryptocurrency stealers to .NET developers via the NuGet repository and impersonating multiple legitimate packages through typosquatting. According to JFrog security researchers Natan Nehorai and Brian Moussalli, who identified this ongoing campaign, three of the malicious NuGet packages have been downloaded more than 150,000 times in a month. It is possible that a large number of .NET developers had their systems compromised, but the massive number of downloads could indicate that the attackers were attempting to legitimize their malicious NuGet packages. When creating their NuGet repository profiles, the threat actors used typosquatting to mimic Microsoft software developers working on the NuGet .NET package manager. The malware installed on compromised systems can be used to steal cryptocurrency by exfiltrating the victims' cryptocurrency wallets using Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the command-and-control (C2) server under the control of the attacker. This article continues to discuss threat actors targeting and infecting .NET developers with cryptocurrency stealers through the NuGet repository and impersonating legitimate packages via typosquatting.

Bleeping Computer reports "Hackers Target .NET Developers with Malicious NuGet Packages"