5 NuGet packages impersonate Chinese .NET UI libraries with infostealer payload
NuGet publisher bmrxntfj shipped five packages on 14 April 2026 within ~13 seconds, grafting a .NET Reactor-protected infostealer onto decompiled legitimate libraries. Across 219 total versions they accumulated ~65k downloads, targeting browser creds, crypto wallets, and SSH keys on Windows .NET dev hosts.
- Detected by
- Socket
- Ecosystems
- NuGet
- Packages tracked
- 5
What happened
Socket's threat research team disclosed five NuGet packages pushed by publisher bmrxntfj on 14 April 2026 within a 12–13 second window. The packages impersonate Chinese-language .NET UI libraries (DantUI, OscarUI, an "Infrastructure" framework) and graft a .NET Reactor-protected infostealer onto decompiled copies of the genuine libraries so functionality looks intact.
Execution is automatic on nuget restore via a module-initializer JIT hook — no explicit API call by the consumer is required. The stealer targets 12 browsers, 8 cryptocurrency wallets, SSH keys and arbitrary local files. A second-stage encrypted payload is staged at C:\ProgramData\Microsoft OneDrive\keys.dat.
- C2 domain:
dns-providersa2.com(registered 2026-03-12, Njalla privacy registrar). - C2 IP:
62.84.102.85(VDSINA, ASN 216071, Amsterdam) with/checkand/uploadendpoints. - Dev / staging infra:
git.justdotrip.com/47.100.60.237(Alibaba Cloud). - Shared .NET Reactor RSA-1024 key (base64 prefix
zlUkMywGKDNbeJxH) ties the five packages and 219 historical versions together.
Accumulated downloads across all versions reach roughly 64,784 since September 2025. After Socket's analysis began, the operator rotated to version 2.1.57 — defenders should treat the entire IR.* publisher namespace as untrusted rather than relying on a single fixed version.
Affected packages (5)
- NuGet
IR.DantUI2.1.55 - NuGet
IR.Infrastructure.Core2.1.55 - NuGet
IR.Infrastructure.DataService.Core2.1.55 - NuGet
IR.iplus322.1.55 - NuGet
IR.OscarUI2.1.55
Impact
- Browser cred and wallet theft on Windows .NET dev hosts
- Encrypted secondary stage staged at
C:\ProgramData\Microsoft OneDrive\keys.dat - Targets Chinese-speaking .NET developers via UI-library impersonation
What to do
- 1Remove listed packages from any .NET project
- 2Treat credentials and wallets on affected workstations as compromised
- 3Block dns-providersa2.com and git.justdotrip.com at egress