The Five-Year Sleeper: Malicious NuGet Package Poses as Tracer.Fody to Drain Crypto Wallets

A covert threat has been uncovered within the .NET ecosystem, stemming from the substitution of a widely used tracing library. For more than five years, a malicious package circulated in the NuGet repository, masquerading as a legitimate component while surreptitiously targeting cryptocurrency wallet data.

The package in question, Tracer.Fody.NLog, mimicked the well-known Tracer.Fody library and even its author. It was identified by the Socket Threat Research Team. On its NuGet page, it appeared to be a standard extension for integrating tracing with NLog, yet its internals concealed code designed to exfiltrate Stratis wallet data. The embedded library scanned the default Stratis directory, located .wallet.json files, extracted their contents, and transmitted them—along with the corresponding passwords—to an attacker-controlled server.

Multiple camouflage techniques were employed to sustain the deception. The package name differed from the original by only a subtle variation, and the publisher account, csnemess, deviated from the legitimate maintainer’s name, csnemes, by a single letter. In addition, the code leveraged homoglyphs—Cyrillic characters visually indistinguishable from their Latin counterparts. As a result, type and attribute names appeared correct at a glance but differed at the Unicode level, complicating manual inspection.

Once introduced into a project, the malicious package quietly embedded itself into a generic argument-validation helper method. Whenever an object containing a WalletPassword property appeared within the application, a background routine was triggered, silently transmitting wallet data and passwords to a remote server without notifications or logging. Errors were suppressed, ensuring that application behavior remained outwardly unaffected.

First published in 2020, Tracer.Fody.NLog accumulated approximately two thousand downloads over time. According to the researchers, its prolonged presence and convincing disguise may have allowed it to infiltrate private tools, developer workstations, and build pipelines associated with Stratis-based projects. At the time of discovery, the package was still available on NuGet, and the platform’s security team was duly notified.

This incident was not an isolated case. In 2023, a similar infrastructure was used to distribute the package Cleary.AsyncExtensions, which impersonated work by Stephen Cleary and intercepted mnemonic phrases and passwords, forwarding them to the same IP address. This pattern points to a sustained campaign aimed at .NET supply chains through the abuse of trusted utility libraries.

Experts caution that tracing, logging, and build-time code-rewriting tools pose a particular risk, as they are widely adopted and often have access to sensitive data. The Tracer.Fody.NLog case underscores a sobering reality: even long-standing, seemingly innocuous dependencies can remain latent sources of compromise for years.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy