Inside the NuGet hackers' toolset

ReversingLabs researchers discovered two NuGet packages that accidentally contained a complete three-part attacker toolchain for large-scale NuGet typosquatting: a scrapper that clones package metadata, a publisher that creates and uploads semi-empty impersonating packages (including future inflated versions), and a multi-threaded PowerShell 'botter' that fakes downloads via rotated user-agents and proxies to artificially boost perceived trust; the exposure confirms how threat actors operationalize metadata cloning and reputation manipulation in supply-chain campaigns and provides behavioral indicators for defenders to detect and block similar abuse.