Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the l2-x-x package.
l2-x-x is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package attempts to impersonate legitimate gaming utilities, bots, or performance panels, it is entirely malicious and has no connection to the games or publishers it references.
Attack Chain
The package is distributed as a .NET command-line tool (DotnetTool) and executes in two distinct phases once run:
The Downloader (Stage 1): Upon execution, a bundled .NET assembly acts as a downloader. To bypass local security blocks or DNS sinkholes, it resolves its download hosts using DNS-over-HTTPS (DoH). It then requests administrative privileges to resync the system clock before fetching the final payload.
The Payload (Stage 2): The downloader fetches and launches a PyInstaller-packed Windows executable named pepesoft.exe from remote repositories. This payload uses Google Sheets to log victim telemetry and, in several variants, exposes a backdoor that allows attackers to remotely capture and exfiltrate screenshots of your desktop via Telegram.
Notes:
This campaign is highly target-specific and impacts Windows environments.
Unlike standard library dependencies, this attack exploits NuGet’s DotnetTool infrastructure, meaning the malicious code is triggered when a user runs the corresponding CLI command (e.g., throne-run).
Users who have installed this package should immediately uninstall and remove it from their systems. Because administrative credentials and payload execution are involved, any system that ran the command should be treated as compromised.