惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Socket

Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Kush Pandya · 2026-05-07 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Socket's Threat Research Team discovered five malicious NuGet packages published under the account bmrxntfj that typosquat widely used Chinese .NET UI and infrastructure libraries. Each package grafts a .NET Reactor protected infostealer payload onto a decompiled copy of a legitimate open source library. The stealer targets saved credentials across 12 browsers, 8 desktop cryptocurrency wallets, 5 browser wallet extensions and exfiltrates to a newly-registered C2 domain. Across all versions, the five packages have accumulated approximately 65,000 downloads, putting tens of thousands of developer workstations and CI/CD build servers in scope of credential and crypto wallet theft. All five packages remain available on NuGet at the time of writing. We’ve submitted takedown requests to the NuGet Gallery security team.

Background#

Each package claims to wrap a legitimate Chinese .NET library. IR.DantUI and IR.OscarUI wrap AntdUI, an MIT-licensed WinForms component library maintained on Gitee. The name "DantUI" is a one-character anagram of "AntdUI." IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32 contain functional .NET code in namespaces (iplus32.*, infrastructure service patterns) consistent with internal Chinese enterprise libraries. Instead of directly typosquatting any package names, they appear to impersonate private or internally distributed libraries that targeted organizations may already be consuming, making the package names plausible to developers in those environments.

The threat actor bmrxntfj NuGet profile showing all five IR.* packages

Developers who work in Chinese enterprise .NET ecosystems, integrate WinForms UI components from Gitee-sourced mirrors, or pull packages from curated Chinese corporate registries are the intended victims. The library surface is functional: Reactor decrypts the original IL at JIT time, so the package both compiles cleanly and executes its payload.

The Five Packages#

The bmrxntfj account owns exactly these five package IDs and no others. There are no benign cover packages and no packages predating the campaign. A publishing history audit via the NuGet registration API shows 224 total versions across the five IDs. 219 of those versions carry listed: false, hiding them from public search while keeping them fetchable via direct version-pinned install commands. The operator keeps only one version listed per package at a time, creating a false appearance of a low-volume, possibly legitimate library while silently accumulating install counts across a long unlisted version history.

This version rotation is an active evasion technique. The operator published version 2.1.55 on 2026-04-14, then rotated to 2.1.56 and 2.1.57 after analysis began. By unlisting the previously analyzed version and listing a new one, the operator invalidates file-hash-based IOCs: security tools blocking the 2.1.55 DLL hashes will not catch 2.1.57 because the DLL bytes differ. The campaign has followed this same pattern across all 219 prior versions, suggesting the operator has been running this rotation cycle for at least seven months.

The five 2.1.55 versions were published in sequence on 2026-04-14:

The 12.78-second total window, combined with a dependency-graph-respecting publish order (Core packages before consumers), is consistent with a scripted release pipeline. A diff of IR.DantUI's DantUI/Svg/Transforms/SvgTransform.cs against the upstream AntdUI source confirms the repackaging technique for the AntdUI-derived packages: every AntdUI.* namespace is renamed to DantUI.*, every method body is replaced by a Reactor-Necrobit native decrypt stub (represented as return null; in the decompiled output), a 230-field Reactor module state machine is injected into the static constructor of every type, and the Reactor bootstrap hook is inserted at the top of every type initializer. The three remaining packages contain equivalent Reactor-wrapped functional .NET code with no confirmed public upstream.

Socket's AI scanner flagging ir.iplus32@2.1.56 as known malware, identifying the in-memory payload loader, anti-tamper checks, RWX memory allocation via native interop, and Linux /proc/self/mem access consistent with malicious supply chain behavior.

Attack Chain#

Stage 1: Module Initialization and JIT Hooking

The payload fires through the .NET module initializer, which the CLR invokes automatically before any application code runs on first load. No explicit API call, user interaction, or Visual Studio session is required. Any build server, CI runner, or developer workstation that runs nuget restore and then loads the assembly is in scope.

On DLL load the CLR fires the module initializer. The initializer calls into the Reactor bootstrap, which:

  1. Verifies the assembly's Anti-Tamper integrity using the embedded RSA-1024 public key.
  2. Allocates a read-write-execute memory region using VirtualAlloc(PAGE_EXECUTE_READWRITE).
  3. Decrypts the Necrobit stage-2 resource blob (the encrypted method IL) and copies it into that region.
  4. Patches clrjit.dll!getJit with a 4-byte JMP, replacing the CLR JIT compiler's dispatch pointer with a hook that owns every subsequent method compilation in the process.

After step 4, the hook decrypts each encrypted method body on demand before the JIT compiles it. The legitimate library code resumes running normally. The payload has control of the JIT pipeline.

The same module initializer includes fully wired cross-platform code paths: on Linux it writes to /proc/self/mem and uses mmap and mprotect; on macOS it resolves libSystem and libclrjit symbols and calls the same primitives. Loading any IR.* package on Linux or macOS CI infrastructure activates the same hook chain.

The P/Invoke stubs for the Windows API calls use string-split evasion to avoid static analysis:

// Analyst note: the API name is reassembled at runtime from a trimmed string literal
// plus a concatenated suffix, evading scanners that search for "OpenProcess" in the DLL.
// The same pattern is applied to WriteProcessMemory and VirtualAlloc.
string apiName = "Open ".Trim() + "Process";

Stage 2: Infostealer Execution

Payload analysis draws from we4ftg.exe, a 786 KB .NET MSIL assembly recovered from the memory dump described in the Attribution section. The dump, which was captured while the stealer was live after .NET Reactor decryption, so all runtime class names and configuration strings are in plaintext in the managed-object heap.

Reactor's Necrobit mode encrypts method bodies but does not touch the .NET metadata streams (#~#Strings) unless the operator enables Type Name Obfuscation. Running ilspycmd --list assemblies against the rebuilt PE produces a complete class graph that names every capability without decrypting a single method body:

ilspycmd --list assemblies output for we4ftg.exe showing stealer class names recovered from unencrypted .NET metadata, with all method bodies still Reactor-encrypted.

Browser credential harvestingBrowserKeyDecryptor targets Chromium Login Data and Web Data SQLite databases. It unseals the Chromium master key by invoking the Chromium IElevator com inference; the Microsoft Edge IElevator IID {c9c2b807-7731-4f34-81b7-44ff7779522b} was recovered intact from the memory dump. Both Chrome encryption versions are handled: v10 (legacy DPAPI-wrapped master key) and v20 (AppBound encryption, introduced in Chrome 127 in mid-2024). Handling v20 confirms the payload was built or updated after July 2024.

The 12 targeted Chromium-family browsers are: Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Epic Privacy, Torch, Comodo, Slimjet, Iridium, 7Star, and AVG Secure Browser. AVG Secure Browser is special-cased by user-data path (avgbrowser / avg\\browser) rather than handled by generic Chromium profile enumeration, indicating deliberate targeting. Firefox, Mozilla, and Thunderbird are also in scope.

Cryptocurrency wallet extraction: Five Chromium extension IDs are hardcoded:

  • nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)
  • ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)
  • bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)
  • egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)
  • hnfanknocfeofbddgcijnmhnfnkdnaad (Coinbase Wallet)

Desktop wallet directories for Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance are also walked.

Document and credential theft: SSH private keys (id_rsa), Outlook profiles, Steam session configuration, and the full file tree under Documents, Desktop, and Downloads are harvested.

Process injectionSharpInjector with InjectionStatusCode return codes and a DllArchitecture enumeration supports architecture-matched injection into long-lived processes. InternalStructs32 and InternalStructs64 implement PEB-walking manual LdrLoadDll-style module loading for both bitnesses, consistent with migration into dllhost.exe or explorer.exe for persistence.

Staging and exfiltration: All harvested material is staged under C:\\ProgramData\\Microsoft OneDrive\\keys.dat. This path abuses the real Microsoft OneDrive installation directory to blend with expected filesystem state. Legitimate OneDrive never writes a keys.dat file there. The staged archive is POSTed to https://dns-providersa2[.]com/upload; text logs are hex-encoded and sent to the same endpoint. Each HTTP request carries a dynamically generated header named X-{3 random lowercase letters} to avoid static header-name matching in network appliances.

Anti-analysis: 22 hardcoded uppercase SHA-256 hex strings form an internal blocklist in we4ftg.exe. Enumeration attempts against common sandbox usernames, computer names, and analyst-tool process names returned no matches, suggesting the hashes cover HWIDs, specific cryptocurrency wallet addresses, or file hashes of known analyst binaries.

Attribution: The .NET Reactor RSA Pivot#

Every copy of .NET Reactor is licensed with a unique RSA-1024 key pair. The public half is embedded in every assembly the operator protects and is used for Anti-Tamper signature verification. It is operator-specific: two different Reactor customers will have different RSA moduli even when using identical Reactor settings.

Extracting the RSA public key from IR.iplus32's Reactor bootstrap yields a modulus with a base64 representation beginning zlUkMywGKDNbeJxH. A VirusTotal Intelligence content search for that base64 string returns exactly four files:

  • s4.exe (first seen 2026-04-04, 10 days before the NuGet burst): a 100 MB Rip-scraper process memory dump containing a live stealer execution
  • A fake CRYPT32.DLL.MUI (96 MB, first seen 2026-04-05)
  • A fake mscorrc.dll (99 MB, first seen 2026-04-05)
  • A 2.2 MB raw shellcode blob (first seen 2026-03-07)

All four files share the same Reactor modulus and are operator-owned artifacts from the same campaign. The crowdsourced YARA labels across the cluster include Lumma, Quantum, AgentRacoon, and ArrowRAT. These family labels reflect shared obfuscation technique (Reactor packing) rather than definitive family classification; the RSA modulus is the precise attribution signal.

VirusTotal detection results for s4.exe, the memory dump sharing the IR. campaign's Reactor RSA signing key, showing crowdsourced YARA family labels consistent with an active infostealer.

One query detail worth noting: searching VT for the raw hex-encoded bytes of the modulus returns zero results, because Reactor embeds the modulus only as base64 inside an <RSAKeyValue> XML literal at runtime. Searching for the hex form is a common miss in Reactor attribution work; the base64 prefix is the correct pivot query.

Runtime Configuration Recovered from Memory#

s4.exe is a raw process memory dump captured by the Rip scraper tool while a Reactor-packed stealer was already running. The dump contains 61 page-aligned PE images and approximately 10 MB of live .NET heap. Because the Reactor runtime had already decrypted the payload before the capture, all runtime strings are recoverable by regex sweep over the raw dump bytes without any unpacking step.

A regex for HTTP URLs against the 100 MB file surfaces the complete C2 configuration at heap offset 0x84e36c, stored as a length-prefixed UTF-16LE serialized dictionary:

# Analyst note: pattern applied to s4.bin as a raw byte scan.
# Both UTF-8 and UTF-16LE forms of the C2 domain appear in the heap.
# 20 UTF-16LE hits, 2 ASCII hits, spanning offsets 0x84e000 to 0x8f0000.
import re
pattern = re.compile(rb'(?i)(?:https?|wss?|ftp)://[\w.\-:/%?=&#]+')
with open("s4.bin", "rb") as f:
    data = f.read()
hits = pattern.findall(data)

The extracted configuration covers the C2 endpoints, the random X-{abc} header obfuscation scheme, the Chromium elevation CLSID, the OneDrive staging path, both Chrome v10 and v20 encryption version strings, the full browser user-data path list, and the browser wallet extension ID list. The threat actor also left a test victim identity in the dump: hostname NEW-4V, username oljwe4y98, consistent with a developer sandbox used for payload testing before deployment.

This technique generalizes to any Reactor-Necrobit sample for which a live memory dump is available: the .NET managed-object heap always contains the post-decrypt string values between the page-aligned PE images, recoverable by regex without any Reactor-specific tooling.

C2 Infrastructure#

The primary C2 is dns-providersa2[.]com, registered 2026-03-12, 33 days before the NuGet publish burst. It resolves to 62[.]84[.]102[.]85, a VDSINA VPS on ASN 216071 fronted in Amsterdam with a UAE shell-company registrant. Nameserver authority is delegated to Njalla (1-you.njalla[.]no2-can.njalla[.]in3-get.njalla[.]fo), a Nevis-incorporated privacy registrar routinely used by ransomware, stealer, and phishing operators to prevent WHOIS-based takedown requests. The domain has no MX record and no AAAA record, consistent with a bare HTTPS C2 with no mail or IPv6 surface. The domain name is engineered to resemble a legitimate DNS provider in firewall and netflow logs.

The two C2 endpoints recovered from the heap are https://dns-providersa2[.]com/check (beacon and operator validation) and https://dns-providersa2[.]com/upload (exfiltration upload).

Two of the five nuspec files list git[.]justdotrip[.]com as the <RepositoryUrl>. This resolves to 47[.]100[.]60[.]237 on Alibaba Cloud Shanghai. It is a private git server with no public repository surface. The same domain produces zero hits in public malware databases or GitHub commit searches and likely hosts the threat actor's development environment. It was not observed as an active C2 in the heap dump and is included here as an operator infrastructure indicator.

Impact#

Any build machine, CI runner, or developer workstation that ran nuget restore against a project listing any of the five IR.* package IDs loaded a DLL whose module initializer fires before application code. Installing a package is not required for execution: restoring the package to the local cache and loading the DLL in any .NET host process is sufficient.

The total download count across all versions and all five package IDs is approximately 64,784. This figure covers the maximum exposure window dating back to September 2025, when the oldest recoverable version of IR.iplus32 was first published. Any machine that restored and loaded any of the 219 listed: false prior versions is equally at risk.

Confirmed data categories in scope for exfiltration, based on the recovered target list and staging path: browser saved passwords, browser cookies and session tokens, browser autofill data and stored payment cards, browser wallet extension storage (MetaMask, TronLink, Phantom, Trust Wallet, Coinbase Wallet), desktop wallet seed files and wallet.dat files for Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance, SSH private keys, Outlook email profiles, Steam session credentials, and files in Documents, Desktop, and Downloads.

Outlook and Recommendations#

For Developers

Check project files and packages.lock.json for any reference to IR.DantUIIR.Infrastructure.CoreIR.Infrastructure.DataService.CoreIR.iplus32, or IR.OscarUI at any version. If any of these package IDs appear in your dependency graph, treat the restoring machine as compromised and rotate all credentials accessible from it: browser-saved passwords, API keys, SSH private keys, cryptocurrency wallet seeds, and cloud provider credentials.

If you need the legitimate upstream libraries, install them directly from their canonical NuGet identities and publishers, not any IR.* variant.

For Security Teams

Add the following to your detection stack:

  • Block or alert on any DNS resolution of dns-providersa2[.]com.
  • Alert on any outbound connection to 62[.]84[.]102[.]85.
  • Alert on file creation at C:\\ProgramData\\Microsoft OneDrive\\keys.dat. Legitimate OneDrive never writes this file.
  • Alert on CoCreateInstance calls requesting the Microsoft Edge IElevator interface (IID {c9c2b807-7731-4f34-81b7-44ff7779522b})by any process outside the Edge browser family.
  • Alert on CI or build machines loading any DLL matching the five SHA-256 hashes in the IOC section.
  • Flag outbound HTTP requests carrying headers matching X-[a-z]{3} with a short random value from build or developer machines, which is the stealer's per-request C2 header obfuscation pattern.

The bmrxntfj account published 224 versions across five typosquatting package IDs with no benign publishing history and no disclosed affiliation with the upstream libraries being imitated. The account should be suspended and all five package IDs delisted. The shared Git commit hash efb675de4b3af3dac3c9cae91075fd7cc2f4f98e, the Iplusus NuGet tag, and the git[.]justdotrip[.]com repository URL should be searched across the full registry for additional packages from the same campaign.

Socket detects threats like this across the full dependency graph, including JIT-hooking module initializers, typosquatted package metadata, and encrypted payload resources, before they reach developer environments. The Socket GitHub App scans pull request dependency changes and flags malicious packages before merge. The Socket CLI enforces allow and deny rules in CI pipelines. Socket Firewall blocks known malicious packages before they are fetched. The Socket browser extension surfaces risk signals while browsing NuGet. Socket MCP prevents AI-assisted coding workflows from introducing suspicious dependencies into your codebase.

MITRE ATT&CK#

  • T1195.002 : Supply Chain Compromise: Compromise Software Supply Chain
  • T1027 : Obfuscated Files or Information
  • T1055.013 : Process Injection: Process Doppelgänging
  • T1497.001 : Virtualization/Sandbox Evasion: System Checks
  • T1005 : Data from Local System
  • T1071.001 : Application Layer Protocol: Web Protocols
  • T1539 : Steal Web Session Cookie
  • T1552.001 : Unsecured Credentials: Credentials in Files
  • T1560 : Archive Collected Data
  • T1082 : System Information Discovery
  • T1083 : File and Directory Discovery

Indicators of Compromise (IOCs)#

Malicious Packages

  • IR.DantUI
  • IR.Infrastructure.Core
  • IR.Infrastructure.DataService.Core
  • IR.iplus32
  • IR.OscarUI

Threat Actor

  • NuGet publisher account: bmrxntfj

Network Indicators

  • dns-providersa2[.]com (primary C2 domain)
  • https://dns-providersa2[.]com/check (C2 beacon endpoint)
  • https://dns-providersa2[.]com/upload (exfiltration endpoint)
  • 62[.]84[.]102[.]85 (VDSINA, ASN 216071, Amsterdam)
  • justdotrip[.]com / 47[.]100[.]60[.]237 (operator development infrastructure, Alibaba Cloud Shanghai)
  • 1-you.njalla[.]no2-can.njalla[.]in3-get.njalla[.]fo (Name Servers)
  • HTTP header pattern: X-[a-z]{3} with random 3-letter value per request

Host Indicators

  • C:\\ProgramData\\Microsoft OneDrive\\keys.dat
  • s4.exe : e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e
  • we4ftg.exe : 8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf

Encrypted Stage-2 Resource SHA-256 Hashes

  • IR.DantUI(v.2.1.55) : 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c
  • IR.Infrastructure.Core(v.2.1.55): b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9
  • IR.Infrastructure.DataService.Core(v.2.1.55) : b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa
  • IR.iplus32(v2.1.55) : 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824
  • IR.OscarUI(v2.1.55): 596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1

Chromium extension IDs

  • nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)
  • ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)
  • bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)
  • egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)
  • hnfanknocfeofbddgcijnmhnfnkdnaad (Coinbase Wallet)