Feed
HighPublished 14 Apr 20265 packages · 5 versions

5 NuGet packages impersonate Chinese .NET UI libraries with infostealer payload

Summary

NuGet publisher bmrxntfj shipped five packages on 14 April 2026 within ~13 seconds, grafting a .NET Reactor-protected infostealer onto decompiled legitimate libraries. Across 219 total versions they accumulated ~65k downloads, targeting browser creds, crypto wallets, and SSH keys on Windows .NET dev hosts.

typosquatinfostealercrypto-wallet-drainobfuscationcredential-theft
Detected by
Socket
Ecosystems
NuGet
Packages tracked
5

What happened

Socket's threat research team disclosed five NuGet packages pushed by publisher bmrxntfj on 14 April 2026 within a 12–13 second window. The packages impersonate Chinese-language .NET UI libraries (DantUI, OscarUI, an "Infrastructure" framework) and graft a .NET Reactor-protected infostealer onto decompiled copies of the genuine libraries so functionality looks intact.

Execution is automatic on nuget restore via a module-initializer JIT hook — no explicit API call by the consumer is required. The stealer targets 12 browsers, 8 cryptocurrency wallets, SSH keys and arbitrary local files. A second-stage encrypted payload is staged at C:\ProgramData\Microsoft OneDrive\keys.dat.

  • C2 domain: dns-providersa2.com (registered 2026-03-12, Njalla privacy registrar).
  • C2 IP: 62.84.102.85 (VDSINA, ASN 216071, Amsterdam) with /check and /upload endpoints.
  • Dev / staging infra: git.justdotrip.com / 47.100.60.237 (Alibaba Cloud).
  • Shared .NET Reactor RSA-1024 key (base64 prefix zlUkMywGKDNbeJxH) ties the five packages and 219 historical versions together.

Accumulated downloads across all versions reach roughly 64,784 since September 2025. After Socket's analysis began, the operator rotated to version 2.1.57 — defenders should treat the entire IR.* publisher namespace as untrusted rather than relying on a single fixed version.

Affected packages (5)

  • NuGetIR.DantUI
    2.1.55
  • NuGetIR.Infrastructure.Core
    2.1.55
  • NuGetIR.Infrastructure.DataService.Core
    2.1.55
  • NuGetIR.iplus32
    2.1.55
  • NuGetIR.OscarUI
    2.1.55

Impact

  • Browser cred and wallet theft on Windows .NET dev hosts
  • Encrypted secondary stage staged at C:\ProgramData\Microsoft OneDrive\keys.dat
  • Targets Chinese-speaking .NET developers via UI-library impersonation

What to do

  1. 1Remove listed packages from any .NET project
  2. 2Treat credentials and wallets on affected workstations as compromised
  3. 3Block dns-providersa2.com and git.justdotrip.com at egress

References

nuget-2026-04-14-chinese-ui-impersonators