A malicious NuGet package designed to mimic Stripe’s official .NET library has been uncovered by cybersecurity researchers, marking a shift in tactics from earlier cryptocurrency-focused campaigns to the broader financial sector.
The package, named StripeApi.Net, impersonated Stripe.net, the legitimate helper library used to integrate Stripe payments into Microsoft .NET applications.
With more than 74 million downloads, Stripe.net is widely adopted by developers building payment, billing and subscription systems. This made the malicious package particularly dangerous.
Typosquatting Campaign Targets Developers
According to a new advisory by ReversingLabs, rather than attempting to breach Stripe’s official package, the threat actors used typosquatting and published a similarly named package to trick developers into installing it.
The fake listing closely resembled the genuine NuGet page. It used the same icon, near-identical documentation and matching tags.
The publisher name, “StripePayments,” was chosen to appear credible, though the account retained the default NuGet profile image instead of Stripe’s logo.
Researchers said that the malicious package showed more than 180,000 downloads. However, they also noted that figures appear to have been artificially inflated.
Instead of accumulating large download counts across a small number of versions, the threat actors spread roughly 300 downloads each across 506 versions to create the impression of steady use.
Hidden Code Exfiltrated API Keys
A deeper inspection revealed that the package contained largely legitimate Stripe code, but with subtle modifications. Critical methods were altered to capture API tokens when the StripeClient class was initialized.
Read more on attacks targeting Stripe customers: Stripe API Skimming Campaign Unveils New Techniques for Theft
Once obtained, the stolen API keys and a machine identifier were transmitted to a Supabase database controlled by the attackers. Supabase provides managed PostgreSQL services, making it convenient as data collection infrastructure.
Despite the inflated download count, ReversingLabs said it is unlikely any developers were compromised. The company reported the package shortly after its publication on February 16, and NuGet administrators removed it shortly after receiving the notification. An examination of the associated Supabase database found no stolen tokens, only a test entry.
ReversingLabs warned that the incident highlights persistent third-party risk in modern software development.
“The increasing frequency of such campaigns requires a shift in thinking by developers,” the team warned. “Legitimate packages may… be compromised and traffic malicious code into legitimate development pipelines, as the recent Shai- hulud npm malware outbreak showed.”
Image credit: Mamun_Sheikh / Shutterstock.com
