Malicious NuGet Package Impersonates Stripe Library to Steal API Keys

CyberDefender 4 mins0

In February 2026, ReversingLabs researchers uncovered a malicious package published to the NuGet repository that was designed to deceive developers by posing as a popular library for Stripe integration in .NET applications. This incident marks a shift from earlier NuGet malware campaigns that primarily focused on blockchain-related targets.

Background: NuGet and Stripe

Stripe is a widely used online payment platform that simplifies processing transactions, subscriptions, and billing for businesses. To support developers building .NET applications that interact with Stripe’s APIs, an official client library called Stripe.net is maintained on NuGet and has amassed tens of millions of downloads.

Rather than compromising the official package directly, the threat actor published a typosquatted package under the name StripeApi.Net — a subtle variation intended to trick developers looking for the legitimate Stripe.net package into installing the fake one.

How the Fake Package Was Designed

The malicious package was crafted to closely resemble the official Stripe library:

  • It used the same icon and metadata as the legitimate package.
  • The project readme, tags, and links pointed to authentic Stripe resources.
  • The package’s author name and profile were chosen to suggest legitimacy.

To inflate perceived popularity, the threat actor split download activity artificially across many versions — hundreds in total — with the effect of creating a long version history and cumulative high download count.

Malicious Functionality

Internally, the fake package included the same core code as the legitimate Stripe library, but key methods were modified. Specifically:

  • Malicious code was injected into the StripeClient initialization routine.
  • When executed, this modified method was designed to harvest the developer’s API token.
  • The stolen token, along with a simple machine identifier, was sent to an attacker-controlled backend hosted on Supabase.

Because the rest of the codebase continued to operate as expected, developers might not notice anything suspicious in normal use — giving the malicious logic a chance to exfiltrate sensitive credentials quietly.

Impact and Mitigation

Although the malicious StripeApi.Net package was downloaded more than 180 000 times according to its NuGet page, ReversingLabs analysis suggests that most of these downloads were likely artificial and that real victim impact was limited. The package was removed shortly after being reported to NuGet administrators.

This incident underscores a broader risk in software supply chains: typosquatting and imitation of legitimate packages can be effective attack vectors, even when the underlying library is widely trusted and heavily used. Organizations should apply rigorous vetting and scanning of dependencies from public repositories as part of secure development practices.

CyberDefender