Cybersecurity researchers have uncovered a sophisticated supply chain attack in the NuGet ecosystem involving a malicious package named Tracer.Fody.NLog that impersonates the legitimate Tracer.Fody .NET tracing library. First published as early as 2020, the rogue package remained undetected for more than five years and accumulated roughly 2,000 downloads while quietly stealing Stratis cryptocurrency wallet data from infected Windows systems.
The discovery, detailed in Socket’s December 15, 2025 report and later covered by multiple cybersecurity outlets, highlights the use of advanced typosquatting and impersonation techniques that allowed the malware to evade scrutiny for years. The fake package closely mirrors the legitimate one by following the Tracer.*.Fody naming pattern, copying the original description word for word, and impersonating the real maintainer by registering a nearly identical name. It also employs homoglyph attacks using Cyrillic lookalike characters in assembly attributes, making visual inspection unreliable.
“It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer,” Socket security researcher Kirill Boychenko said. “Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176.113.82[.]163.”
Once installed, the malware embeds itself inside a commonly used helper method called Guard.NotNull, a routine developers frequently invoke for argument validation. When executed, the malicious code scans the default Stratis wallet directory on Windows systems, extracts wallet files and in-memory passwords, and exfiltrates the data to a command and control server hosted on a Russian IP address. That infrastructure has been linked to previous campaigns, including a 2023 malicious package that targeted cryptocurrency seed phrases.
The unusually long dwell time has raised serious concerns among security researchers, as the package may already be embedded in private development tools, individual workstations, or automated CI and CD pipelines. Socket noted that the attacker deliberately blended legitimate functionality with malicious logic, making casual code reviews ineffective.
The Microsoft and NuGet teams have been notified of the issue, and requests have been made for package removal and publisher suspension. At the time of reporting in mid December 2025, the package was still publicly accessible.