A sustained cyberattack targeting .NET developers has been flying under the radar for at least seven months, and it shows no signs of stopping. Researchers at Socket recently uncovered a campaign in which threat actors distributed five malicious NuGet packages designed to impersonate legitimate Chinese enterprise libraries. These packages have collectively amassed nearly 65,000 downloads, placing tens of thousands of developer workstations and CI build servers at severe risk. The attackers are not after your grandmother’s browser history, they want credentials, cryptocurrency wallets, and private keys that unlock corporate infrastructure.

The operation revolves around a single threat actor account named “bmrxntfj.” This publisher uploaded packages with the prefixes IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32. Each library mimics names that would look perfectly natural inside a Chinese .NET development shop. Unlike typical typosquatting attempts, these names do not contain obvious misspellings or odd characters. They simply look like internal corporate libraries, which makes them dangerously plausible to developers who might be grabbing dependencies on autopilot.

Version Rotation: A Stealth Tactic That Keeps Evolving

Security tools have gotten good at blocking known file hashes, so the attackers adapted. Socket’s analysis reveals that bmrxntfj uses a technique called version rotation. They publish a new version of the malicious package while quietly hiding older ones from public view. By constantly changing the file signatures, they bypass standard security scanners that rely on hash-based blocking. This rotation cycle has allowed the campaign to operate undetected for months, with each new version slipping through conventional defenses.

The malware itself is an infostealer that activates as soon as the package is installed. Socket’s AI scanner detected in-memory payload loaders, anti-tamper checks, and RWX memory allocation via native interop. The code even accesses Linux /proc/self/mem, a clear signal of malicious supply chain behavior. Once the payload takes hold, the system is compromised beyond simple data theft.

Browser Data, Crypto Wallets, and SSH Keys in the Crosshairs

This infostealer is aggressive and thorough. It extracts saved passwords, cookies, and autofill data from twelve different browsers, including Chrome, Edge, Brave, and Opera. What is particularly worrying is that it bypasses AppBound encryption, the latest security mechanism introduced in recent Chrome updates. If you thought your browser was safe, think again.

Beyond standard credentials, the stealer hunts for digital financial assets. It targets browser wallet extensions like MetaMask, Phantom, and Coinbase Wallet. It also goes after desktop cryptocurrency wallets such as Exodus and Electrum. SSH private keys, Outlook email profiles, and Steam session configurations are all fair game. Even personal documents from Desktop and Downloads folders get scooped up and packaged for exfiltration.

All stolen material is hidden inside a fake Microsoft OneDrive directory located in the ProgramData folder. Legitimate OneDrive never uses that path, so it serves as a clear indicator of compromise. If you find a suspicious OneDrive folder in ProgramData, you probably have a bigger problem than a missing file.

Who Is Behind bmrxntfj, and What Are the IOCs?

Socket has shared a full set of Indicators of Compromise. The malicious packages are IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32. Each one impersonates a legitimate library used in Chinese .NET environments. The campaign appears to target organizations that rely on these internal tools, making it a focused supply chain attack rather than a broad spray.

Taken together, the volume of downloads and the sophistication of the evasion techniques suggest a well-resourced threat actor. Whether this is a state-sponsored group or a financially motivated gang remains unclear. But the careful naming, the version rotation, and the ability to bypass Chrome encryption indicate a high level of technical skill.

For developers and security teams, this campaign highlights a growing risk in the open source ecosystem. Download counts are not a reliable measure of trust. A package with 65,000 downloads could be a community favorite or a carefully planted mine. The only way to stay safe is to inspect dependencies thoroughly, use runtime detection tools, and treat every package as potentially hostile until proven otherwise.

The attack also underscores a painful reality: no matter how secure your infrastructure is, a single developer pulling a malicious package can bring everything down. Build servers, CI pipelines, and local workstations all become attack surfaces. The best defense is a combination of automated scanning, strict package whitelisting, and a healthy dose of skepticism.

As the lines between open source convenience and security continue to blur, campaigns like this one will only become more common. The question is not whether another supply chain attack will surface, but whether your organization is ready to catch it before the damage is done.