Malicious NuGet Package StripeApi.Net Impersonates Stripe Library, Steals API Tokens

Malicious NuGet Package Targets Financial Sector with API Token Theft

Cybersecurity researchers have identified a malicious package on the NuGet Gallery designed to impersonate Stripe.net, a widely used official library from financial services provider Stripe. The counterfeit package, named StripeApi.Net, was uploaded by an actor posing as a legitimate developer and aims to steal API tokens from unsuspecting users in the financial sector.

Technical Details

The malicious StripeApi.Net package was discovered masquerading as Stripe.net, Stripe’s authentic .NET library, which boasts over 75 million downloads. While the legitimate library provides secure integration with Stripe’s payment processing APIs, the fraudulent version contains hidden functionality to exfiltrate sensitive credentials, including API tokens, to a remote server controlled by threat actors.

Key indicators of compromise include:

• Package name: StripeApi.Net (note the subtle deviation from the official Stripe.net)
• Uploader: A newly created NuGet account with no prior activity
• Behavior: Silent credential harvesting via embedded malicious code

At the time of disclosure, the package had not yet gained significant traction, but its targeting of financial sector developers raises concerns due to the high-value nature of compromised API tokens.

Impact Analysis

API tokens are critical authentication credentials that grant access to financial systems, payment gateways, and sensitive customer data. If successfully deployed, StripeApi.Net could enable threat actors to:

• Access financial transactions and manipulate payment processing
• Exfiltrate customer data, including personally identifiable information (PII) and payment details
• Escalate attacks within compromised environments by leveraging stolen credentials

The financial sector remains a prime target for supply chain attacks, and this incident underscores the risks posed by dependency confusion and typosquatting in package repositories.

Recommendations for Security Teams

To mitigate risks associated with malicious NuGet packages:

1. Verify package authenticity: Always cross-check package names, publishers, and download counts before installation.
2. Use package signing: Enforce the use of digitally signed packages to ensure integrity.
3. Monitor dependencies: Implement Software Composition Analysis (SCA) tools to detect suspicious or unauthorized packages.
4. Restrict NuGet sources: Configure development environments to only allow packages from trusted repositories.
5. Educate developers: Raise awareness about typosquatting attacks and the importance of verifying package sources.

Security teams are advised to scan their environments for the presence of StripeApi.Net and revoke any exposed API tokens immediately. The NuGet Gallery has since removed the malicious package, but vigilance remains critical in preventing similar attacks.

Source: The Hacker News