A stealthy supply chain attack is quietly spreading through the .NET ecosystem, targeting developers and build pipelines with malicious NuGet packages disguised as legitimate libraries.
Security researchers have uncovered five rogue packages that have already accumulated over 64,000 downloads, exposing developer machines, CI/CD systems, and enterprise environments to serious compromise.
Unlike typical malware campaigns, this attack is not loud or obvious. It operates silently—embedded inside trusted development workflows—making it one of the most dangerous threats facing modern software teams today.
The “Trusted Dependency” Trap
The attackers behind this campaign didn’t rely on fake or broken packages. Instead, they took a smarter approach:
👉 They built malicious packages on top of real, functional code
By mimicking well-known libraries like AntdUI and other enterprise tools used in Chinese development environments, the packages looked legitimate enough to pass casual inspection.
This creates a dangerous illusion:
Developers think they’re installing a useful dependency…
But they’re actually introducing a backdoor into their system.
The Silent Execution: No User Interaction Needed
The infection doesn’t rely on phishing, downloads, or clicks.
It starts with a routine developer action:
👉 Running a NuGet package restore
Once the malicious package is loaded:
- A .NET module initializer executes automatically
- No warning or prompt appears
- The payload runs in the background
This means even cautious developers can be compromised without realizing it.
The Version Rotation Trick That Evaded Detection
One of the most advanced aspects of this campaign is how it avoided detection for months.
The attacker published:
- 224 total versions of malicious packages
- 219 hidden from public view
- Only one visible version at a time
By constantly rotating versions, the attacker effectively:
- Broke hash-based detection tools
- Forced security teams to constantly update blocklists
- Extended the life of the campaign undetected
👉 The result: a persistent attack active since September 2025
What Happens After Infection
Once inside a system, the malware deploys a second-stage infostealer called we4ftg.exe.
This payload goes after high-value data across the entire machine.
What Data Gets Stolen
This isn’t basic credential theft—it’s a full data harvesting operation.
Browser and session data:
- Chrome, Edge, Brave, Firefox, Opera
- Saved passwords
- Autofill data
- Session cookies
- Payment card details
Cryptocurrency wallets:
- MetaMask, Trust Wallet, Phantom, Coinbase Wallet
- Desktop apps like Exodus, Electrum, Atomic
Developer and system assets:
- SSH private keys
- Outlook profiles
- Steam credentials
- Files from Desktop, Documents, Downloads
👉 In short: everything attackers need for identity theft, lateral movement, and financial fraud
Persistence and Stealth Techniques
To avoid detection, the malware uses stealthy persistence methods:
- Stores stolen data in a folder mimicking Microsoft OneDrive
- Uses file names that appear legitimate at first glance
- Maintains silent background execution
However, one key detection clue exists:
👉 The specific file created in the OneDrive path is something real OneDrive never generates
This makes it a valuable indicator of compromise (IoC) for security teams.
Infrastructure Built to Blend In
The attacker carefully designed the backend infrastructure to avoid suspicion:
- Domains crafted to resemble legitimate services
- Hosting through trusted data centers
- Privacy-focused registrars to delay takedown efforts
Even the command-and-control (C2) domain blends into normal traffic, making detection harder within enterprise environments.
Why This Attack Is a Bigger Deal Than It Looks
This campaign highlights a major shift in cybersecurity:
👉 Developers are now prime targets
Instead of attacking users, threat actors are compromising:
- Developer workstations
- Build pipelines
- Software dependencies
This creates a ripple effect, where a single infected package could impact multiple downstream applications and organizations.
Real-World Risks
The potential damage from this attack goes beyond a single system:
- Compromised CI/CD pipelines
- Exposure of API keys and secrets
- Unauthorized code injection
- Financial loss via crypto wallet theft
- Enterprise-wide breaches
👉 One compromised developer machine = potential supply chain breach
Immediate Action Required
If your environment has used these packages, treat it as a critical security incident.
Steps to take immediately:
- Remove all malicious dependencies
- Rotate all credentials and API keys
- Replace SSH keys
- Secure crypto wallets
- Audit all build and deployment pipelines
Key Warning Signs
Security teams should look for:
- Unexpected files in OneDrive-like directories
- Suspicious outbound network activity
- Unusual behavior during compilation
- Unauthorized access to credential stores
Monitoring developer environments is now just as important as securing production systems.
The Bigger Lesson: Supply Chain Is the New Battlefield
This attack reinforces a critical reality:
👉 Modern cyberattacks don’t break into systems…
👉 They get installed as dependencies
Open-source ecosystems and package registries are now a major attack surface.
And trust is being weaponized.
Conclusion
With over 64,000 downloads and months of undetected activity, this malicious NuGet campaign is one of the clearest examples of how supply chain attacks are evolving.
For developers and organizations, the takeaway is simple:
👉 Trust nothing by default—even your dependencies
Because in today’s threat landscape, the most dangerous code
is the code you willingly install.
