Cybersecurity researchers recently identified a malicious NuGet package named StripeApi.Net that impersonated the legitimate Stripe.net library to target financial sector developers. Although the package was quickly removed, it successfully used typosquatting, cloned branding, and inflated download counts to exfiltrate sensitive API tokens while maintaining normal application functionality.
Researchers discovered a fraudulent package on the NuGet Gallery specifically designed to mimic the official Stripe.net library, which is a staple tool for financial services. Uploaded in mid-February 2026 by an account named StripePayments, the malicious version used the same icons and nearly identical documentation to trick users into downloading it. By the time it was flagged and removed, the package had already been manipulated to show over 180,000 downloads to appear trustworthy to unsuspecting developers.
The technical execution of this attack relied on a high degree of visual and functional mimicry. The threat actor substituted minor characters in the name and documentation, changing Stripe.net to Stripe-net, to capitalize on common typing errors. To further build a false sense of authority, the actor distributed the total download count across more than 500 different versions of the package. This artificial inflation ensured that even a quick glance at the package's popularity would not immediately raise any red flags for a busy software engineer.
Beyond simple imitation, the malicious code was engineered to be functional enough to avoid detection during active development. While it replicated the core features of the real Stripe library, it secretly modified specific methods to capture Stripe API tokens. These sensitive credentials were then transmitted back to the attackers. Because the rest of the codebase remained operational, a developer integrating the library would see their application compile and process payments exactly as expected, unaware that their security was being compromised.
This specific campaign represents an evolution in the types of targets favored by supply chain attackers. While previous efforts on the NuGet platform largely focused on stealing keys from cryptocurrency wallets, this shift toward broader financial services suggests a diversifying interest in corporate and enterprise data. ReversingLabs, the firm that discovered the threat, noted that the speed of their intervention likely prevented widespread damage, as the package was reported and taken down shortly after its release.
The primary danger of such typosquatted libraries lies in their invisibility within a standard workflow. Since the application functions perfectly on the surface, there are no broken links or error messages to alert a security team to the breach. This incident serves as a reminder for developers to double-check package names and publisher identities, as even highly popular and seemingly functional tools can harbor hidden backdoors designed to exfiltrate data in the background.
Source: Malicious StripeApi NuGet Package Mimicked Official Library to Steal API Tokens