Malicious NuGet Package Impersonated Stripe Library, Exfiltrated Developer Credentials

A recently uncovered malicious software package on the NuGet Gallery posed as a legitimate Stripe library, aiming to steal sensitive developer credentials. The package, named 'StripeApi.Net,' was a near-perfect replica of the official 'Stripe.net' library, which is used by millions. Uploaded in mid-February, it has since been removed from the platform.

According to ReversingLabs researcher Petar Kirhmajer, the imitation was meticulous. The fraudulent listing copied the official package's icon and documentation, with only subtle text changes. To appear established, the uploader artificially boosted download statistics across hundreds of package versions.

The danger lay in its functionality. While the package performed its stated tasks correctly—processing payments without error—it also contained modified code designed to harvest and transmit a developer's private Stripe API token to a remote server. This meant applications would work normally, offering no immediate sign of a breach.

ReversingLabs identified and reported the package shortly after its appearance, leading to its takedown before widespread damage occurred. The company notes this incident represents a tactical shift; previous malicious NuGet packages largely targeted cryptocurrency developers, whereas this campaign took aim at the broader financial technology sector.

The event underscores the persistent risks in the software supply chain, where a single, trusted-looking component can become a critical vulnerability. Security experts continue to advise developers to verify package sources meticulously, even when functionality seems intact.

Source: The Hackers News