Security researchers have identified 11 malicious NuGet packages disguised as game cheats, automation bots, and management tools. Instead of providing the advertised functionality, these packages install a Windows malware known as Pepesoft.
The malicious packages were distributed as .NET command-line tools, allowing users to install them using the standard dotnet tool install command. They primarily targeted players of popular games such as Albion Online, GTA5RP, GrandRP, Majestic RP, Lineage 2, Russian Fishing 4, and Throne and Liberty.
After discovering the campaign, researchers reported the packages to NuGet’s security team for removal.
How the Malware Operates
Once installed, the malicious package downloads a second-stage payload called pepesoft.exe from attacker-controlled infrastructure hosted on GitHub Releases and Hugging Face.

The malware includes several techniques to avoid detection and maintain its operation. It uses Google DNS-over-HTTPS to resolve download servers, making it more difficult for traditional DNS-based security controls to block its activity. In many cases, it also attempts to synchronize the system clock before downloading additional components.
After installation, Pepesoft contacts remote servers to retrieve configuration updates and collect information from the infected device. The malware generates a unique hardware identifier and gathers system information such as usernames, computer names, hardware details, network information, public IP addresses, and approximate location.
Some variants also include Telegram bot functionality, allowing attackers to remotely capture screenshots of the victim’s desktop. These screenshots could expose browser sessions, password managers, cryptocurrency wallets, authentication prompts, private conversations, or other sensitive information displayed on the screen.
Security Recommendations
Developers and organizations should review their development environments for suspicious NuGet packages and investigate any unexpected execution of pepesoft.exe.
Recommended security measures include:
- Review installed NuGet packages and remove any unknown or suspicious tools.
- Verify the authenticity of open-source packages before installation.
- Monitor systems for unexpected execution of pepesoft.exe.
- Watch for unusual outbound connections to GitHub, Hugging Face, and other unknown infrastructure.
- Monitor for unexpected DNS-over-HTTPS traffic from development systems.
- Keep endpoint security solutions updated and regularly scan developer workstations.
- Educate developers about software supply chain attacks and package verification.
This campaign highlights the growing risk of software supply chain attacks, where attackers disguise malicious packages as legitimate developer tools. Carefully verifying third-party packages before installation remains one of the most effective ways to reduce this risk.