Socket’s Threat Research Team discovered five malicious NuGet packages that have accumulated approximately 65,000 downloads by typosquatting widely used Chinese enterprise .NET UI and infrastructure libraries. Published under the account bmrxntfj, the packages target developers working in Chinese enterprise .NET environments and deliver a .NET Reactor-protected infostealer embedded within decompiled copies of legitimate open-source code. Socket published its findings on May 7–9, 2026.
The five packages — IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32 — are crafted to blend into the dependency trees of enterprise .NET applications that rely on popular Chinese UI frameworks and infrastructure components. Each package appears functionally legitimate because it is built from a decompiled copy of the real library, with the infostealer payload added alongside working code.
How the Typosquatting Campaign Evades Detection
The packages impersonate legitimate Chinese .NET libraries whose package names are nearly identical, differing only in namespace prefixes that developers in fast-moving enterprise environments may not scrutinize closely. When a developer or CI/CD build pipeline installs one of the malicious packages — through a mistyped dependency name, a dependency confusion attack, or a compromised internal registry entry — the hidden payload executes alongside the legitimate library functionality.
The infostealer payload is protected by .NET Reactor, a commercial code obfuscation and licensing tool that applies control flow obfuscation, string encryption, and resource protection to prevent straightforward decompilation. The use of commercial obfuscation tooling indicates a well-resourced operation rather than an amateur campaign.
What the Infostealer Collects from Developer Workstations and Build Servers
The malware targets a broad range of stored credentials and sensitive data across each infected system:
- Saved credentials from 12 browsers, including all major Chromium-based and Mozilla browsers
- 8 desktop cryptocurrency wallets
- 5 browser-based cryptocurrency wallet extensions
- All stolen data is exfiltrated to a newly-registered Command and Control domain, enabling operator infrastructure rotation while maintaining the same malicious packages on NuGet
The breadth of targets reflects a dual monetization strategy: corporate browser credentials provide access to enterprise cloud platforms, version control systems, and CI/CD pipelines; cryptocurrency wallet credentials enable direct financial theft.
A Seven-Month Persistent Operation with Active Infrastructure Rotation
Socket’s analysis established that this campaign has been active for at least seven months, based on the versioning history of packages published by the bmrxntfj account. The operator published version 2.1.55, then rotated to 2.1.56 and 2.1.57 under analysis pressure — demonstrating active monitoring of researcher scrutiny and ongoing operational maintenance.
The seven-month lifespan means the 65,000 download figure represents sustained victim accumulation embedded continuously in developer workstations and CI/CD build servers. Credentials exfiltrated from build pipelines during earlier campaign stages may already be in active use.
The Supply Chain Risk to Enterprise .NET CI/CD Pipelines
Developer workstations and build servers are high-value targets in software supply chain attacks because they hold credentials to production infrastructure, source code repositories, cloud platforms, and deployment systems. A credential-stealing package that executes during a build pipeline run can silently exfiltrate the pipeline’s service account credentials, code signing certificates, and cloud access keys without triggering standard runtime security controls that monitor production workloads.
Socket’s Disclosure: Five Confirmed Package Names, bmrxntfj Account Logs, and Credential Rotation Scope
Socket recommends organizations audit their NuGet dependency trees for the five identified packages (IR.DantUI, IR.OscarUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32) and review package manager logs for any installation from the bmrxntfj account.
Affected packages should be removed and all credentials accessible from affected environments — including service accounts used in CI/CD pipelines, cloud provider access keys, and developer personal access tokens — should be rotated following forensic review. Organizations operating internal NuGet feeds should verify that these packages have not been mirrored into internal repositories from which they could continue to propagate to new developer environments.
