{"id":58,"date":"2026-02-26T12:07:18","date_gmt":"2026-02-26T12:07:18","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=58"},"modified":"2026-02-26T12:07:18","modified_gmt":"2026-02-26T12:07:18","slug":"malicious-stripeapi-nuget-package-mimicked-official-library-and-stole-api-tokens","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=58","title":{"rendered":"Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Feb 26, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ Software Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiOOA0ov4ywkdj7FrYHif0WbJFrQ04THhkLcOL83R7ggXvtpTTMUeO8-3e-YOobbh_5hGpdNbnXr1pbeU4Uj1DfBd7HLLefvr3fbmKeNnmxknerJm4TDUvvNUL1uJT0MN5frpDoVizcBh5KuEtiU-zq2rhZhZmLJ3iVOauRaHqBUf3k5DnZU8MUq7WHE8fX\/s1700-e365\/Stripe-malware.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector.<\/p>\n<p>The package, codenamed StripeApi.Net, attempts to masquerade as <a href=\"https:\/\/www.nuget.org\/packages\/Stripe.net\" rel=\"noopener\" target=\"_blank\">Stripe.net<\/a>, a legitimate library from Stripe that has over 75 million downloads. It was uploaded by a user named StripePayments on February 16, 2026. The package is no longer available.<\/p>\n<p>\u00abThe NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible,\u00bb ReversingLabs Petar Kirhmajer <a href=\"https:\/\/www.reversinglabs.com\/blog\/malicious-nuget-package-targets-stripe\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abIt uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the &#8216;Stripe.net&#8217; references to read &#8216;Stripe-net.'\u00bb<\/p>\n<p>In a further effort to lend credibility to the typosquatted package, the threat actor behind the campaign is said to have artificially inflated the download count to more than 180,000. But in an interesting twist, the downloads were split across 506 versions, with each version recording about 300 downloads on average.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ztw-hands-on-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhC66R4wPZ8qksTJukqlCCmrHCUX65DnpWW1nKnkOhy0Poe219tacbU6h09qEfUgRHxoObBazf3SVJ4OAd_iVd0EFecj-vskZSfroQ7rh0XyxQd6Ep_zNgqDW95YU4zG1Gpin8rHPK8Rqu_1KV7tf-G-7JJhxOVHhRJDWnj0qfq82uZSAvAG2rxK-Fe5fwd\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The package replicates some of the legitimate Stripe package&#8217;s functionality, but also modifies certain critical methods to collect and transfer sensitive data, including the user&#8217;s Stripe API token, back to the threat actor. With the rest of the codebases remaining fully functional, it&#8217;s unlikely to attract any suspicion from unsuspecting developers who may have inadvertently downloaded it.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbROWVosq-ggoRuYIJWpLozaQMgJDHVsecZlsLbWWqOkwSo9tuf2wPuM0sv9eNOXQdzlTOh23TigMEW_cleAnk1zC8hhL2JMjBEwu5rRBQttUwQrmzWv3LoJn15NlmmNI550JbUjH6-W4YJExodZjsdJeOYWm3t1afLRMZKILrUEFyc7OyH7k3MmfCb047\/s1700-e365\/Stripe.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbROWVosq-ggoRuYIJWpLozaQMgJDHVsecZlsLbWWqOkwSo9tuf2wPuM0sv9eNOXQdzlTOh23TigMEW_cleAnk1zC8hhL2JMjBEwu5rRBQttUwQrmzWv3LoJn15NlmmNI550JbUjH6-W4YJExodZjsdJeOYWm3t1afLRMZKILrUEFyc7OyH7k3MmfCb047\/s1700-e365\/Stripe.jpg\" alt=\"\" border=\"0\" data-original-height=\"845\" data-original-width=\"1230\"\/><\/a><\/div>\n<p>ReversingLabs said it discovered and reported the package \u00abrelatively soon\u00bb after it was initially released, causing it to be taken before it could inflict any serious damage.<\/p>\n<p>The software supply chain security company also noted that the activity marks a shift from prior campaigns that have leveraged bogus NuGet packages to target the cryptocurrency ecosystem and facilitate wallet key theft.<\/p>\n<p>\u00abDevelopers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended,\u00bb Kirhmajer said. \u00abPayments would process normally and, from the developer\u2019s perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Feb 26, 2026Malware \/ Software Security Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe&hellip;<\/p>\n","protected":false},"author":1,"featured_media":59,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[14,159,33,157,34,158,40,36,156,146],"class_list":["post-58","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-api","tag-library","tag-malicious","tag-mimicked","tag-nuget","tag-official","tag-package","tag-stole","tag-stripeapi","tag-tokens"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=58"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/58\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/59"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}