"The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible. It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the 'Stripe.net' references to read 'Stripe-net.' In a further effort to lend credibility to the typosquatted package, the threat actor behind the campaign is said to have artificially inflated the download count to more than 180,000."
"The package replicates some of the legitimate Stripe package's functionality, but also modifies certain critical methods to collect and transfer sensitive data, including the user's Stripe API token, back to the threat actor. With the rest of the codebases remaining fully functional, it's unlikely to attract any suspicion from unsuspecting developers who may have inadvertently downloaded it."
"ReversingLabs said it discovered and reported the package 'relatively soon' after it was initially released, causing it to be taken before it could inflict any serious damage. The software supply chain security company also noted that the activity marks a shift from prior campaigns that have leveraged bogus NuGet packages to target the cryptocurrency ecosystem and facilitate wallet key theft."
Cybersecurity researchers discovered a typosquatted malicious package on NuGet Gallery called StripeApi.Net designed to impersonate Stripe.net, a legitimate library with over 75 million downloads. The threat actor uploaded the package under the username StripePayments on February 16, 2026, and artificially inflated download counts to over 180,000 across 506 versions. The malicious package replicated legitimate Stripe functionality while secretly modifying critical methods to steal sensitive data, including Stripe API tokens, and transmit them to the attacker. The package's design closely mimicked the official version using identical icons and nearly identical documentation. ReversingLabs discovered and reported the package relatively quickly, preventing significant damage. This campaign represents a shift from previous NuGet-based attacks targeting cryptocurrency ecosystems.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]