Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

AndyC 27 February 2026

Ravie LakshmananFeb 26, 2026Malware / Software Security

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to targe

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Ravie LakshmananFeb 26, 2026Malware / Software Security

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector.

The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a legitimate library from Stripe that has over 75 million downloads. It was uploaded by a user named StripePayments on February 16, 2026. The package is no longer available.

“The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible,” ReversingLabs Petar Kirhmajer said. “It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the ‘Stripe.net’ references to read ‘Stripe-net.'”

In a further effort to lend credibility to the typosquatted package, the threat actor behind the campaign is said to have artificially inflated the download count to more than 180,000. But in an interesting twist, the downloads were split across 506 versions, with each version recording about 300 downloads on average.

The package replicates some of the legitimate Stripe package’s functionality, but also modifies certain critical methods to collect and transfer sensitive data, including the user’s Stripe API token, back to the threat actor. With the rest of the codebases remaining fully functional, it’s unlikely to attract any suspicion from unsuspecting developers who may have inadvertently downloaded it.

ReversingLabs said it discovered and reported the package “relatively soon” after it was initially released, causing it to be taken before it could inflict any serious damage.

The software supply chain security company also noted that the activity marks a shift from prior campaigns that have leveraged bogus NuGet packages to target the cryptocurrency ecosystem and facilitate wallet key theft.

“Developers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended,” Kirhmajer said. “Payments would process normally and, from the developer’s perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

AndyC 27 February 2026
Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access

AndyC 26 February 2026
Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

AndyC 26 February 2026
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

AndyC 26 February 2026
SLH Offers 0–,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks

SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks

AndyC 26 February 2026
Top 5 Ways Broken Triage Increases Business Risk Instead of Reducing It

Top 5 Ways Broken Triage Increases Business Risk Instead of Reducing It

AndyC 26 February 2026

You may have missed

The AI Agent Identity Crisis: 80% of Agents Don’t Properly Identify Themselves, 80% of Sites Don’t Verify

AndyC 27 February 2026
What to Know About the Notepad++ Supply-Chain Attack

What to Know About the Notepad++ Supply-Chain Attack

AndyC 27 February 2026
How to Bring Zero Trust to the Data Stream – Blog | Menlo Security

Accelerate Secure Releases With Microsoft Copilot and Sonatype Guide

AndyC 27 February 2026
Hackers abused Cisco SD-WAN zero-day since 2023 to gain full admin control

Hackers abused Cisco SD-WAN zero-day since 2023 to gain full admin control

AndyC 27 February 2026
How to Bring Zero Trust to the Data Stream – Blog | Menlo Security

Google GTIG disrupted China-linked APT UNC2814 halting attacks on 53 orgs in 42 countries

AndyC 27 February 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.