StripeApi.Net malicious NuGet package exfiltrating Stripe API tokens
Malware Activity
Summary
Hide ▲
Show ▼
A malicious StripeApi.Net package on NuGet impersonated Stripe.net and quietly stole Stripe API tokens, putting developers in the financial sector at risk. The package copied the legitimate library's branding and functionality closely enough that projects could still compile and process payments normally. It was uploaded on February 16, 2026, inflated to more than 180,000 downloads, and removed after researchers reported it.
Related Happenings
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
H score31
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
H score38
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
H score38
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware Activity
H score30
First: 13.01.2026 19:30
Last: 13.01.2026 19:30
Sources 1
About this happening:
**Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Obfuscated web skimmer payload targeting Stripe checkout forms
Malware ActivityAbout this happening: **Silent Push** disclosed a **Magecart**-style **web skimming campaign** that has operated since **2022** and targets **e-commerce checkout pages** tied to at least **six major pa...
Timeline
-
26.02.2026 12:09 1 articles · 4mo ago
StripeApi.Net upload and Stripe API token exfiltration setup
Technical Analysis UpdateStripePayments uploaded the malicious NuGet package StripeApi.Net to the NuGet Gallery on February 16, 2026, posing it as Stripe.net with the same icon and a nearly identical readme while inflating downloads across 506 versions to more than 180,000. The package kept most functionality intact but modified critical methods to collect and transfer the user's Stripe API token, creating a supply-chain risk for developers in the financial sector.
Show sources
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09
-
26.02.2026 12:09 2 articles · 4mo ago
Researchers disclose malicious StripeApi.Net package on NuGet Gallery
Initial DisclosureCybersecurity researchers disclosed the malicious NuGet Gallery package StripeApi.Net on February 26, 2026 after it was found impersonating Stripe.net to target the financial sector. ReversingLabs said it discovered and reported the package relatively soon after release, and the package was removed before it could inflict serious damage.
Show sources
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09
- Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens — thehackernews.com — 26.02.2026 12:09