Cybersecurity researchers have revealed details of a new malicious package discovered in the NuGet Gallery that targets the financial sector by impersonating a library from financial services company Stripe.
The package, codenamed StripeApi.Net, attempts to impersonate Stripe.net, the official Stripe library that has been downloaded over 75 million times. This package was uploaded on February 16, 2026 by a user named StripePayments. This package is currently unavailable.
“NuGet pages for malicious packages are set up to look as similar to official Stripe.net packages as possible,” said Petar Kirhmajer of ReversingLabs. “It uses the same icon as the official package and includes an almost identical Readme, but only replaces references to ‘Stripe.net’ with ‘Stripe-net.'”
The attackers behind this campaign are said to have artificially inflated the number of downloads to more than 180,000 to further increase the credibility of the typosquatted packages. But in an interesting twist, the downloads were split into 506 versions, with each version averaging around 300 downloads.
This package replicates some of the functionality of the legitimate Stripe package, but also modifies certain key methods for collecting and transmitting sensitive data, including users’ Stripe API tokens, to threat actors. The rest of the codebase is fully functional and is unlikely to arouse suspicion from unsuspecting developers who may have downloaded it inadvertently.
ReversingLabs said it discovered and reported the package “relatively soon” after it was first released, so it was removed before it could do any serious damage.
The software supply chain security firm also noted that this activity marks a shift from previous campaigns that leveraged fake NuGet packages to target the cryptocurrency ecosystem and facilitate the theft of wallet keys.
“Even if a developer accidentally downloads and integrates a typeposquated library like StripeAPI.net, the application will compile successfully and function as intended,” Kirhmajer said. “Payments are processed successfully and nothing appears to be broken from the developer’s perspective. However, in the background sensitive data is secretly copied and exposed by a malicious attacker.”
Source link
