Five malicious NuGet packages published under account bmrxntfj impersonate Chinese .NET libraries to deploy an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. The packages typosquat legitimate Chinese UI and infrastructure libraries, grafting .NET Reactor-protected payloads onto decompiled legitimate code. The campaign uses version rotation to evade hash-based detection, with 219 of 224 total versions unlisted but fetchable. The stealer targets 12 browsers, 8 desktop crypto wallets, and 5 browser wallet extensions, exfiltrating data to a newly-registered C2 domain. With approximately 65,000 downloads across all versions, the campaign puts tens of thousands of developer workstations and CI/CD build servers at risk. The payload executes through .NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS infrastructure.