A typosquatted StripeApi.Net package impersonated Stripe's legitimate library on NuGet Gallery, using identical branding and inflated download counts to steal API tokens from unsuspecting developers.
Cybersecurity researchers have uncovered a sophisticated supply chain attack involving a malicious NuGet package that impersonated Stripe's legitimate financial library to steal API tokens from developers.
The malicious package, dubbed StripeApi.Net, was uploaded to the NuGet Gallery on February 16, 2026, by a user named StripePayments. The package attempted to masquerade as Stripe.net, Stripe's official library that has over 75 million legitimate downloads.
According to Petar Kirhmajer from ReversingLabs, the threat actors went to extraordinary lengths to make the malicious package appear authentic. "The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible," Kirhmajer explained. "It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the 'Stripe.net' references to read 'Stripe-net.'"
In a particularly deceptive tactic, the attackers artificially inflated the download count to more than 180,000 across 506 different versions, with each version averaging about 300 downloads. This manipulation was designed to create the appearance of a popular, trusted library.
While the package replicated much of the legitimate Stripe library's functionality, it contained critical modifications that allowed it to collect and exfiltrate sensitive data. Specifically, the malicious code was designed to capture users' Stripe API tokens and transmit them back to the threat actors.
The attack's sophistication lies in its stealth. Since the rest of the codebase remained fully functional, developers who inadvertently downloaded and integrated the package would experience no immediate issues. Payments would process normally, and applications would compile and run without errors, making detection extremely difficult.
ReversingLabs discovered and reported the malicious package "relatively soon" after its release, preventing it from causing widespread damage. The package has since been removed from the NuGet Gallery.
This campaign represents a notable shift in tactics, moving away from previous attacks that primarily targeted the cryptocurrency ecosystem. Instead, this attack focused on the financial sector, demonstrating how typosquatting attacks are evolving to target different industries.
Kirhmajer emphasized the danger of such attacks: "Developers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended. Payments would process normally and, from the developer's perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors."
The discovery highlights the ongoing risks in software supply chain security and the importance of verifying package authenticity before integration. Developers are advised to double-check package names, review source code when possible, and be cautious of packages with unusually high download counts or multiple similar versions.
This incident serves as a reminder that even trusted repositories like NuGet can be compromised, and that typosquatting remains an effective technique for malicious actors seeking to infiltrate development environments and steal sensitive credentials.
Comments
Please log in or register to join the discussion