A malicious package designed to impersonate Stripe‘s official .NET library was discovered on the NuGet Gallery, where it quietly harvested API tokens from developers who installed it believing it to be legitimate software.
The package, named StripeApi.Net, was uploaded on February 16, 2026, by an account called StripePayments. It mimicked Stripe.net, a legitimate library with more than 75 million downloads. The counterfeit package has since been removed from the gallery.
Built to Deceive
The package copied the official library’s icon and used a nearly identical readme file, only swapping references from “Stripe.net” to “Stripe-net.” To appear credible, the threat actor artificially inflated the download count to more than 180,000, spread across 506 versions, with each version averaging roughly 300 downloads.
The tactic was deliberate. A high download count signals trustworthiness to developers scanning a package repository for a reliable dependency. Combined with the visual similarity to the official listing, the fake package was engineered to slip past basic scrutiny.
Functional Code, Hidden Payload
What made StripeApi.Net particularly difficult to detect was that most of it actually worked. The package replicated core functionality from the legitimate library while modifying specific methods to collect and transmit sensitive data, including the user’s Stripe API token, back to the attacker.
According to ReversingLabs researcher Petar Kirhmajer, developers who integrated the package would have seen their applications compile and run without errors. Payments would have processed normally. Nothing would have appeared broken.
More Read
“In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors,” Kirhmajer said.
That design choice makes supply chain attacks of this type especially effective. Unlike malware that crashes systems or triggers security alerts, this package was built to be invisible.
Caught Before Widespread Damage
ReversingLabs said it identified and reported the package shortly after its release, leading to its removal before it could cause significant harm. The company noted that the campaign represents a shift in targeting from previous NuGet-based attacks, which focused primarily on the cryptocurrency sector and stealing wallet keys.
Targeting financial API credentials broadens the potential damage. A compromised Stripe API token could give an attacker access to payment data, customer records, and transaction controls depending on the permissions associated with the key.
A Persistent Threat to Open-Source Ecosystems
Typosquatting attacks on package repositories are not new, but this case illustrates how far threat actors will go to manufacture legitimacy. Artificially inflated version counts, copied branding, and fully functional code all serve the same goal: reducing the chance a developer questions what they just installed.
The incident adds to a growing body of evidence that open-source package registries remain an active vector for credential theft and data exfiltration, with financial services increasingly in the crosshairs.
Photo by Jiří Navrátil on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
