Five malicious IR.* NuGet packages impersonate Chinese .NET libraries

critical

CVE

Not assigned

CWE

CWE-506

Affected Surface

IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, IR.OscarUI, NuGet packages published by bmrxntfj, .NET developer workstations and CI/CD build hosts that restored and loaded affected assemblies

Socket researchers disclosed a long-running NuGet supply-chain campaign built around five packages published by the bmrxntfj account. The packages impersonate Chinese .NET UI and enterprise infrastructure libraries, but their assemblies also carry a Reactor-protected infostealer that activates when the DLL is loaded.

This is not a broken dependency with a suspicious name; the packages include functional .NET code that helps them blend into real projects. That raises the risk for developer workstations, build agents, and internal package mirrors where a routine restore can look normal until application or test code loads the assembly.

Affected packages

Security teams should search dependency manifests, lockfiles, package caches, and internal registries for any version of these NuGet package IDs:

• IR.DantUI
• IR.Infrastructure.Core
• IR.Infrastructure.DataService.Core
• IR.iplus32
• IR.OscarUI

The campaign reportedly published 224 total versions across the five package IDs, with most versions unlisted from public NuGet search but still installable by exact version. Treat exposure as package-ID based, not just hash or version based.

Attack chain

The packages use legitimate-looking library surfaces and NuGet metadata to reach .NET projects. Once loaded, the malicious path runs through a .NET module initializer. The CLR invokes module initializers before normal application code, so the victim does not need to call an exported package API for the payload to start.

Public analysis describes a protected loader that:

• Verifies a .NET Reactor anti-tamper signature.
• Allocates executable memory.
• Decrypts a second-stage payload.
• Hooks JIT compilation so decrypted code can execute while the library continues to behave normally.

Socket also found cross-platform code paths for Linux and macOS alongside Windows-specific loader behavior, which matters for CI systems that restore NuGet packages on non-Windows builders.

What the payload steals

The recovered second-stage payload, tracked in reporting as we4ftg.exe, targets high-value developer and personal data:

• Browser passwords, cookies, autofill data, and payment card data from Chromium-family browsers.
• Firefox, Mozilla, and Thunderbird data.
• Browser wallet extensions including MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet.
• Desktop crypto wallets including Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance.
• SSH private keys, Outlook profiles, Steam credentials, and files from Documents, Desktop, and Downloads.

Stolen data is staged at C:\ProgramData\Microsoft OneDrive\keys.dat, a path chosen to blend into legitimate Microsoft OneDrive filesystem activity. Legitimate OneDrive should not create that file.

Infrastructure and evasion

The primary command-and-control domain reported for the campaign is dns-providersa2[.]com, with exfiltration to /upload and beaconing to /check. The domain name is designed to look like ordinary DNS provider traffic in logs.

The versioning strategy is also important. By unlisting older versions and publishing new visible versions, the operator can rotate payload hashes while preserving package names that may already be pinned or mirrored. Hash-based blocking is useful, but it is not enough for this campaign.

Remediation

If any affected package ID appears in a project, lockfile, local NuGet cache, build log, or package mirror, treat every host that restored and loaded the package as compromised.

Recommended response:

• Remove the affected package and replace it with the legitimate upstream library or an internally verified package.
• Purge local and shared NuGet caches that contain the package.
• Rotate credentials accessible from affected hosts, including cloud keys, package-registry tokens, GitHub tokens, SSH keys, browser-saved credentials, and crypto wallet material.
• Review CI logs for unexpected outbound traffic to dns-providersa2[.]com or 62[.]84[.]102[.]85.
• Search for C:\ProgramData\Microsoft OneDrive\keys.dat on Windows build and developer machines.

For prevention, require review for new package IDs that resemble internal libraries, block unlisted external packages unless explicitly approved, and keep build credentials scoped to the minimum needed for each job.

Indicators of compromise

Package and publisher indicators:

• IR.DantUI
• IR.Infrastructure.Core
• IR.Infrastructure.DataService.Core
• IR.iplus32
• IR.OscarUI
• NuGet publisher: bmrxntfj

Host and network indicators:

• C:\ProgramData\Microsoft OneDrive\keys.dat
• dns-providersa2[.]com
• https://dns-providersa2[.]com/check
• https://dns-providersa2[.]com/upload
• 62[.]84[.]102[.]85
• git[.]justdotrip[.]com
• 47[.]100[.]60[.]237

References

• Socket: 5 malicious NuGet packages impersonate Chinese UI libraries
• Cyber Security News: Malicious NuGet packages target browser credentials
• NuGet package IR.DantUI
• CWE-506 Embedded Malicious Code