Cybersecurity researchers have disclosed particulars of a brand new malicious bundle found on the NuGet Gallery, impersonating a library from monetary companies agency Stripe in an try to focus on the monetary sector.
The bundle, codenamed StripeApi.Internet, makes an attempt to masquerade as Stripe.internet, a reliable library from Stripe that has over 75 million downloads. It was uploaded by a person named StripePayments on February 16, 2026. The bundle is not obtainable.
“The NuGet web page for the malicious bundle is about as much as resemble the official Stripe.internet bundle as carefully as attainable,” ReversingLabs Petar Kirhmajer mentioned. “It makes use of the identical icon because the reliable bundle and comprises a virtually equivalent readme, solely swapping the ‘Stripe.internet’ references to learn ‘Stripe-net.'”
In an extra effort to lend credibility to the typosquatted bundle, the menace actor behind the marketing campaign is alleged to have artificially inflated the obtain depend to greater than 180,000. However in an attention-grabbing twist, the downloads have been break up throughout 506 variations, with every model recording about 300 downloads on common.
The bundle replicates a few of the reliable Stripe bundle’s performance, but in addition modifies sure vital strategies to gather and switch delicate information, together with the person’s Stripe API token, again to the menace actor. With the remainder of the codebases remaining totally purposeful, it is unlikely to draw any suspicion from unsuspecting builders who could have inadvertently downloaded it.
ReversingLabs mentioned it found and reported the bundle “comparatively quickly” after it was initially launched, inflicting it to be taken earlier than it might inflict any critical harm.
The software program provide chain safety firm additionally famous that the exercise marks a shift from prior campaigns which have leveraged bogus NuGet packages to focus on the cryptocurrency ecosystem and facilitate pockets key theft.
“Builders who mistakenly obtain and combine a typosquatted library like StripeAPI.internet will nonetheless have their purposes compile efficiently and performance as meant,” Kirhmajer mentioned. “Funds would course of usually and, from the developer’s perspective, nothing would seem damaged. Within the background, nevertheless, delicate information is being secretly copied and exfiltrated by malicious actors.”
