A malicious NuGet package designed to mimic Stripe's official .NET library has been uncovered, marking a shift in tactics from cryptocurrency-focused campaigns to the broader financial sector, according to ReversingLabs. The package, named StripeApi[.]Net, impersonated Stripe[.]net, the legitimate helper library used to integrate Stripe payments into Microsoft .NET applications, which has more than 74 million downloads and is widely adopted by developers building payment, billing and subscription systems.
The fake listing closely resembled the genuine NuGet page, using the same icon and near-identical documentation and tags, with the publisher name "StripePayments" chosen to appear credible. Researchers said the malicious package showed more than 180,000 downloads, though figures appeared to be artificially inflated by the threat actors, who spread roughly 300 downloads across 506 versions to create the impression of steady use.
A deeper inspection revealed that the package contained largely legitimate Stripe code but with subtle modifications that allowed API tokens to be captured when the StripeClient class was initialised, with stolen keys and a machine identifier transmitted to a Supabase database controlled by the attackers. NuGet administrators removed it shortly after notification, and the incident underscores persistent third-party risk in modern software development, with the publication dating to 25 February 2026.