Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

In an effort to target the financial industry, cybersecurity researchers have revealed details of a new malicious package they found on the NuGet Gallery that mimics a library from financial services company Stripe This article explores stripe net threat. . Codenamed StripeApi.Net, the package aims to impersonate Stripe.net, a genuine library from Stripe with more than 75 million downloads.

On February 16, 2026, a user going by the name StripePayments uploaded it. The package isn't available anymore. According to ReversingLabs Petar Kirhmajer, "the NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible."

"It has a nearly identical readme and uses the same icon as the genuine package, with the exception that the references to "Stripe.net" are changed to "Stripe-net." The threat actor behind the campaign is accused of inflating the download count to over 180,000 in an attempt to give the typosquatted package more legitimacy. Intriguingly, however, the downloads were divided among 506 versions, with an average of 300 downloads per version.

The package mimics some of the features of the authentic Stripe package, but it also alters some crucial procedures to gather and send private information, such as the user's Stripe API token, back to the threat actor.

It's unlikely to raise any red flags with developers who might have unintentionally downloaded it because the other codebases are still completely operational. According to ReversingLabs, the package was taken before it could cause any significant harm because it was found and reported "relatively soon" after it was first released. The activity, according to the software supply chain security firm, is different from previous campaigns that used fake NuGet packages to target the cryptocurrency ecosystem and make wallet key theft easier.

According to Kirhmajer, "developers will still have their applications compile successfully and work as intended even if they download and integrate a typosquatted library like StripeAPI.net by mistake." "From the developer's point of view, nothing would seem amiss, and payments would process as usual.

However, malicious actors are surreptitiously copying and exfiltrating sensitive data in the background.