NuGet malware targets Nethereum tools

ReversingLabs discovered a NuGet supply‑chain campaign comprising 14 malicious packages that impersonated legitimate .NET crypto libraries and quietly embedded malicious functions to exfiltrate private keys/seed phrases, overwrite transaction destinations to attacker wallets, and steal Google Ads OAuth credentials; techniques used included homoglyphs, version bumping, and inflated download counts to appear legitimate. The report categorizes the packages into three groups (wallet stealer, crypto-funds stealer, Google Ads OAuth stealer), provides examples of malicious functions and IOCs, and recommends developer vetting, package inspection, and defensive tools to mitigate downstream compromise.