CYBERSECURITY researchers uncovered a malicious NuGet package named StripeApi[.]Net that impersonates Stripe[.]net in a bid to target the financial sector. The package was uploaded by a user called StripePayments on 16 February 2026 and the page closely mirrors the official Stripe[.]net package, including the same icon and a readme that swaps Stripe[.]net references to Stripe-net.
According to ReversingLabs, the threat actor scrubbed up credibility by inflating downloads to more than 180,000 across 506 versions, averaging about 300 downloads per version. The package replicates some legitimate functionality but also modifies key methods to collect and secretly exfiltrate the user’s Stripe API token back to the attacker, while the rest of the codebase remains functional to avoid raising suspicion. ReversingLabs noted the activity was halted relatively soon after discovery, and the package is no longer available.