StripeApi.Net malicious NuGet package exfiltrating Stripe API tokens
Malware Activity
Summary
Hide ▲
Show ▼
A malicious StripeApi.Net package on NuGet impersonated Stripe.net and quietly stole Stripe API tokens, putting developers in the financial sector at risk. The package copied the legitimate library's branding and functionality closely enough that projects could still compile and process payments normally. It was uploaded on February 16, 2026, inflated to more than 180,000 downloads, and removed after researchers reported it.
Related Happenings
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware Activity
First: 13.01.2026 19:30
Last: 13.01.2026 19:30
Sources 1
About this happening:
**Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware ActivityAbout this happening: **Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Malicious npm packages masquerading as n8n integrations to steal OAuth credentials
Malware Activity
First: 12.01.2026 18:39
Last: 12.01.2026 18:39
Sources 1
About this happening:
A set of **eight npm packages** impersonating **n8n integrations** is stealing **developers' OAuth credentials**, putting linked services and workflow access at risk. One package...
Malicious npm packages masquerading as n8n integrations to steal OAuth credentials
Malware ActivityAbout this happening: A set of **eight npm packages** impersonating **n8n integrations** is stealing **developers' OAuth credentials**, putting linked services and workflow access at risk. One package...
Timeline
-
26.02.2026 12:09 1 articles · 3mo ago
StripeApi.Net upload and Stripe API token exfiltration setup
Technical Analysis UpdateStripePayments uploaded the malicious NuGet package StripeApi.Net to the NuGet Gallery on February 16, 2026, posing it as Stripe.net with the same icon and a nearly identical readme while inflating downloads across 506 versions to more than 180,000. The package kept most functionality intact but modified critical methods to collect and transfer the user's Stripe API token, creating a supply-chain risk for developers in the financial sector.
Show sources
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09
-
26.02.2026 12:09 2 articles · 3mo ago
Researchers disclose malicious StripeApi.Net package on NuGet Gallery
Initial DisclosureCybersecurity researchers disclosed the malicious NuGet Gallery package StripeApi.Net on February 26, 2026 after it was found impersonating Stripe.net to target the financial sector. ReversingLabs said it discovered and reported the package relatively soon after release, and the package was removed before it could inflict serious damage.
Show sources
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09