Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens
Source: The Hacker News
Overview
Cybersecurity researchers have disclosed a new malicious package discovered on the NuGet Gallery that impersonated a library from financial services firm Stripe in an attempt to target the financial sector.
The package, codenamed StripeApi.Net, masqueraded as the legitimate Stripe.net library, which has over 75 million downloads. It was uploaded by a user named StripePayments on February 16 2026 and has since been removed.
“The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible,” said ReversingLabs researcher Petar Kirhmajer. “It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the ‘Stripe.net’ references to read ‘Stripe‑net.’”
Typosquatted Package Details
- Package name:
StripeApi.Net(typo‑squatted asStripe‑net) - Uploader:
StripePayments - Upload date: February 16 2026
- Status: No longer available on NuGet
The threat actor artificially inflated the download count to more than 180 000. However, the downloads were spread across 506 different versions, with each version recording roughly 300 downloads on average.
Malicious Behavior
The package replicates much of the legitimate Stripe library’s functionality, but it modifies critical methods to collect and exfiltrate sensitive data, including the user’s Stripe API token, back to the threat actor. The rest of the code remains functional, allowing applications to compile and run without raising suspicion.
Response and Mitigation
ReversingLabs reported discovering and notifying the NuGet maintainers relatively soon after the package’s release, leading to its removal before any serious damage could occur.
The incident marks a shift from prior campaigns that targeted the cryptocurrency ecosystem with bogus NuGet packages (see the earlier reports on fake Nethereum packages and fake WhatsApp API packages on npm).
“Developers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended,” Kirhmajer explained. “Payments would process normally and, from the developer’s perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors.”