NuGet | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named " lotusbail ," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "seiren_primrose" in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing. Under the cover of a functional tool, the malware "steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server," Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it's equipped to capture authentication tokens and session keys, messa...

Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer. The malicious package, named " Tracer.Fody.NLog ," remained on the repository for nearly six years. It was published by a user named "csnemess" on February 26, 2020. It masquerades as " Tracer.Fody ," which is maintained by " csnemes ." The package continues to remain available as of writing, and has been downloaded at least 2,000 times, out of which 19 took place over the last six weeks for version 3.2.4.  "It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer," Socket security researcher Kirill Boychenko said . "Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exf...

A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems. According to software supply chain security company Socket, the packages were published in 2023 and 2024 by a user named " shanhai666 " and are designed to run malicious code after specific trigger dates in August 2027 and November 2028. The packages were collectively downloaded 9,488 times. "The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation, affecting safety-critical systems in manufacturing environments," security researcher Kush Pandya said . The list of malicious packages is below - MyDbRepository (Last updated on May 13, 2023) MCDbRepository (Last updated on June 5, 2024) Sharp7Extend (Last updated on August 14, 2024) SqlDbRepo...

Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum , a popular Ethereum .NET integration platform, to steal victims' cryptocurrency wallet keys. The package, Netherеum.All , has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and keystore data, according to security company Socket. The library was uploaded by a user named " nethereumgroup " on October 16, 2025. It was taken down from NuGet for violating the service's Terms of Use four days later. What's notable about the NuGet package is that it swaps the last occurrence of the letter "e" with the Cyrillic homoglyph "e" (U+0435) to fool unsuspecting developers into downloading it. In a further attempt to increase the credibility of the package, the threat actors have resorted to artificially inflating the download counts...

Threat hunters have identified a suspicious package in the  NuGet package manager  that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is  SqzrFramework480 , which ReversingLabs said was first published on January 24, 2024. It has been  downloaded  2,999 times as of writing. The software supply chain security firm said it did not find any other package that exhibited similar behavior. It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms. The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called " zhaoyushun1999 ." Present within the...