← All stories

GBHackers

Malicious NuGet Packages Steal Browser Credentials, SSH Keys, and Crypto Wallets

Mayura Kathir · 4 hours ago · Read original ↗

ATT&CK techniques detected

10 predictions

T1195.001Compromise Software Dependencies and Development Tools

96%

"mscorrc. dll binaries, all sharing the same reactor modulus. crowd ‑ sourced yara rules label these samples with families such as lumma, quantum, agentracoon, and arrowrat, reflecting shared obfuscation rather than a definitive family match. the primary command ‑ and ‑ control do…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1555.003Credentials from Web Browsers

94%

"via the ielevator com interface, including support for chrome ’ s newer v20 appbound encryption introduced in mid ‑ 2024. at least 12 chromium ‑ based browsers are supported, including chrome, edge, brave, opera, vivaldi, epic, torch, comodo, slimjet, iridium, 7star, and avg secu…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

94%

"malicious nuget packages steal browser credentials, ssh keys, and crypto wallets malicious nuget packages are quietly stealing browser credentials, ssh keys, and cryptocurrency wallet data from developer machines and ci / cd infrastructure, with a particular focus on chinese. net…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1552.004Private Keys

91%

", jaxx, and binance wallet files. beyond finance, it harvests ssh private keys ( such as id _ rsa ), outlook profiles, steam session data, and recursively collects documents from the user ’ s desktop, documents, and downloads directories. stolen content is staged under c : \ prog…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

88%

"september 2025 should be treated as compromised, regardless of whether the packages were ultimately used at runtime. with around 65, 000 total downloads, the blast radius spans tens of thousands of developer workstations and ci / cd build agents, exposing browser passwords, sessi…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1027Obfuscated Files or Information

73%

"getjit so every method jit ‑ compilation passes through attacker ‑ controlled code. cross ‑ platform support ensures that equivalent primitives are used on linux via / proc / self / mem, mmap, and mprotect, and on macos using libsystem and libclrjit symbols. the windows api p / i…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.002Compromise Software Supply Chain

46%

"malicious nuget packages steal browser credentials, ssh keys, and crypto wallets malicious nuget packages are quietly stealing browser credentials, ssh keys, and cryptocurrency wallet data from developer machines and ci / cd infrastructure, with a particular focus on chinese. net…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

44%

"malicious nuget packages steal browser credentials, ssh keys, and crypto wallets malicious nuget packages are quietly stealing browser credentials, ssh keys, and cryptocurrency wallet data from developer machines and ci / cd infrastructure, with a particular focus on chinese. net…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

35%

"##rxntfj account, that impersonate chinese. net ui and enterprise libraries. the operator maintains just one visible version of each package at any time while rotating through unlisted builds, a strategy that inflates install counts while evading hash ‑ based detections. recently…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1036.005Match Legitimate Resource Name or Location

31%

"malicious nuget packages steal browser credentials, ssh keys, and crypto wallets malicious nuget packages are quietly stealing browser credentials, ssh keys, and cryptocurrency wallet data from developer machines and ci / cd infrastructure, with a particular focus on chinese. net…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

<p>Malicious NuGet packages are quietly stealing browser credentials, SSH keys, and cryptocurrency wallet data from developer machines and CI/CD infrastructure, with a particular focus on Chinese .NET ecosystems. The campaign blends legitimate-looking UI and infrastructure libraries with a heavily protected infostealer payload, making it hard for developers and traditional security tools to spot. Packages IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, […]</p> <p>The post <a href="https://gbhackers.com/malicious-nuget-packages-2/">Malicious NuGet Packages Steal Browser Credentials, SSH Keys, and Crypto Wallets</a> appeared first on <a href="https://gbhackers.com">GBHackers Security | #1 Globally Trusted Cyber Security News Platform</a>.</p>