Key Findings

• A malicious NuGet package, codenamed "StripeApi.Net", was discovered impersonating the legitimate "Stripe.net" library from the financial services firm Stripe.

• The package was uploaded to the NuGet Gallery on February 16, 2026 by a user named "StripePayments".

• The package's NuGet page was designed to closely resemble the official Stripe.net package, using the same icon and a nearly identical readme.

• The package had an artificially inflated download count of over 180,000, spread across 506 versions.

• The malicious package replicated some of Stripe.net's functionality but also included code to collect and exfiltrate the user's Stripe API token.

Background

The discovery of the malicious "StripeApi.Net" package marks a shift in the tactics used by threat actors targeting the software supply chain. Previous campaigns have focused on exploiting the cryptocurrency ecosystem and stealing wallet keys, but this latest incident is aimed at the financial sector.

The threat actors behind the campaign went to great lengths to lend credibility to the typosquatted package, including mimicking the official Stripe.net branding and artificially inflating the download count. This was likely done to increase the chances of unsuspecting developers accidentally integrating the malicious library into their applications.

Functionality and Impact

The malicious package replicates some of the legitimate Stripe.net library's functionality, making it less likely to attract suspicion from developers who may have inadvertently downloaded it. However, the package also includes code that modifies critical methods to collect and exfiltrate the user's Stripe API token back to the threat actors.

While the application would still function normally from the developer's perspective, the sensitive data theft would occur silently in the background. This could potentially expose Stripe customers to financial fraud and other malicious activities.

Discovery and Mitigation

ReversingLabs discovered and reported the malicious "StripeApi.Net" package to the NuGet Gallery, leading to its removal before it could cause any significant damage. The company noted that the activity marks a shift from previous campaigns targeting the cryptocurrency ecosystem.

To mitigate the impact of such supply chain attacks, developers are advised to exercise caution when integrating third-party libraries, particularly those with similar names to well-known packages. Verifying the authenticity and source of packages, as well as monitoring for suspicious activity, are crucial steps in protecting against these types of threats.

Sources

• https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html

• https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html

• https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe