Socket detected a malicious NuGet package, Braintree.Net, masquerading as the official Braintree SDK and stealing payment card data, merchant API keys, and host secrets through multi-stage .NET implant behavior. The campaign also used a companion DependencyInjector.Core payload, typosquatting, and fake download inflation to hide attacker-controlled exfiltration to api.348672-shakepay[.]com. #Braintree.Net #DependencyInjector.Core #Braintree #SIPNet #SipNet.OpenAI.Realtime
Keypoints
- Braintree.Net was published as a malicious NuGet package impersonating the official Braintree payment SDK.
- Socket flagged the package 10 minutes after the first malicious version appeared on July 3, 2026.
- The implant steals live payment card data, Braintree merchant API keys, and host environment secrets.
- Exfiltration destinations include api.348672-shakepay[.]com/api/card, /api/account, and /api/analytics/report.
- The package uses typosquatting, copied documentation, and inflated download counts to appear legitimate.
- Several Braintree.Net and DependencyInjector.Core versions are confirmed malicious, and SipNet packages are transitively affected.
- The malicious code is gated in production for payment theft, while the environment harvester runs on assembly load in .NET 8+ targets.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – The attacker published a typosquatted NuGet package to poison developers who install the official SDK (‘malicious NuGet package masquerading as the official Braintree payment gateway client’).
- [T1036 ] Masquerading – The package impersonates the real Braintree library using a similar name, copied metadata, and stolen documentation (‘Package ID: Braintree.Net… Claimed author: Braintree… README bundled in the package is copied from official Braintree documentation’).
- [T1218 ] System Binary Proxy Execution – The malicious DLL executes inside legitimate .NET applications when referenced as a dependency (‘when a .NET application references Braintree.Net and loads the assembly’).
- [T1546 ] Event Triggered Execution – Module initializers run automatically at assembly load without a direct API call (‘[ModuleInitializer] attributes guarantee execution at assembly load’).
- [T1056.001 ] Input Capture: Keylogging – The implant captures sensitive payment fields entered into request objects, including card number and CVV (‘POST cardNumber, cvv, expiration, …’).
- [T1005 ] Data from Local System – The harvester collects environment variables, appsettings files, cloud metadata, mounted secrets, and assembly/dependency data (‘captures Braintree keys from environment variables or appsettings.json, database connection strings, cloud IAM role credentials, and CI/CD tokens’).
- [T1552 ] Unsecured Credentials – The malware exfiltrates merchantId, publicKey, privateKey, and other secrets from configuration and environment (‘steals Braintree merchant API credentials… merchantId, publicKey, and privateKey triple’).
- [T1041 ] Exfiltration Over C2 Channel – Stolen data is sent to attacker-controlled infrastructure via HTTPS POST requests (‘POSTs it to a hardcoded endpoint’).
- [T1027 ] Obfuscated Files or Information – The analytics endpoint is XOR-obfuscated in DependencyInjector.Core to hinder detection (‘the analytics/report endpoint used by DependencyInjector.Core is XOR-obfuscated at rest’).
- [T1562.001 ] Impair Defenses: Disable or Evade Security Tools – Empty catch blocks suppress errors so the victim sees no failures (‘Network failures, TLS errors, and malformed payloads are swallowed silently’).
Indicators of Compromise
- [Domains/URLs ] Exfiltration and reporting endpoints – api.348672-shakepay[.]com, api.348672-shakepay[.]com/api/card, and other endpoint paths such as /api/account and /api/analytics/report
- [HTTP Header ] Used by exfiltration requests – X-Api-Key: 2523-5235-8564-2683-2386
- [Package IDs ] Malicious and affected NuGet packages – pkg:nuget/[email protected], pkg:nuget/[email protected], and other listed versions
- [File Names ] Malicious assemblies and companion payloads – Braintree.dll, DependencyInjector.Core.dll, and related package binaries
- [File Hashes ] Confirmed hashes for malicious DLLs – Braintree.dll hash set, DependencyInjector.Core.dll hash set, and other hashes listed in the article
- [Class/Type Names ] Assembly artifacts to hunt – Braintree.CardOperationLogger, Braintree.DependencyInjectorLoader, DependencyInjector.Core.AutoInitializer, and DependencyInjector.Core.Reporting.EndpointObfuscator
- [XOR Artifacts ] Obfuscation data for hidden endpoint decoding – key 4A7B2C5D1E8F3A6B9C0D5E2F7A4B1C8D, obfuscated blob 220F582D6DB51544FD7D3701497F24BB7D49012E76EE510EEC6C2701192471A22B0B45727FE15B07E579374C09646EE83A145E29
- [Cloud/Network IPs ] Passive DNS resolution for the attacker domain – 104.21[.]89.51, 172.67[.]188.32
Read more: https://socket.dev/blog/braintree-nuget-typosquat-skims-credit-cards