Malicious Package Affecting cleary.asyncextensions package, versions [0,]
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-CLEARYASYNCEXTENSIONS-14425502
- published16 Dec 2025
- disclosed16 Dec 2025
- creditKirill Boychenko
Introduced: 16 Dec 2025
Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the Cleary.AsyncExtensions package.
Overview
Cleary.AsyncExtensions is a malicious package.
This package contains malicious code, and impersonates the legitimate AsyncEx ecosystem by typosquatting Stephen Cleary’s libraries under a look-alike maintainer name. It disguises itself as a harmless argument-validation helper, but secretly captures sensitive values such as wallet mnemonics, passphrases, or credentials passed to NotNull / NotEmpty helpers and silently exfiltrates them to attacker-controlled infrastructure, using the same homoglyph and exception-suppression techniques observed in related NuGet supply-chain attacks.
This package's content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.