ReversingLabs discovered a typosquatted NuGet package named StripeApi.Net that impersonated the legitimate Stripe.net package, injected malicious code into the StripeClient initialization to capture API tokens, and attempted to exfiltrate them to a Supabase backend. The package used visual and metadata masquerading plus artificially inflated download/version counts but was removed quickly by NuGet admins and investigators found no confirmed stolen tokens in the Supabase database. #StripeApiNet #Supabase
Keypoints
- Threat actors published a typosquatted NuGet package, StripeApi.Net, designed to mimic the official Stripe.net package to trick .NET developers.
- The malicious package preserved legitimate Stripe.net code but inserted additional logic into the StripeClient initialization to capture API tokens and a machine identifier.
- Stolen tokens were programmed to be forwarded to a Supabase-managed PostgreSQL instance via an AddApiKeyAsync function.
- The package used visual impersonation (icon, README, tags, owner name) and artificially inflated download counts split across 506 versions to appear established.
- ReversingLabs reported the package soon after its Feb 16 release, NuGet removed it, and investigators found only a test entry—not exfiltrated tokens—in the Supabase database.
- Researchers highlight the broader supply-chain risk: typosquatting and subtle library modifications can exfiltrate secrets while leaving application functionality intact.
MITRE Techniques
- [T1195.002 ] Compromise Software Dependencies and Development Tools – Attacker published a malicious NuGet package (typosquatting) that masquerades as a legitimate dependency to insert malicious logic into downstream applications (‘The name of that typosquatting package is StripeApi.Net.’).
- [T1036 ] Masquerading – The package mimicked the official Stripe.net package by reusing the same icon, nearly identical README and tags, and a similar owner name to appear legitimate (‘It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the “Stripe.net” references to read “Stripe-net.”’).
- [T1567 ] Exfiltration Over Web Service – Stolen API tokens and a machine ID were sent to an attacker-controlled Supabase backend via the package’s AddApiKeyAsync function (‘The stolen API token is then forwarded to the “AddApiKeyAsync” function which exfiltrates the token … sending the data to a legitimate Supabase server.’).
Indicators of Compromise
- [NuGet package ] Typosquatted package used to distribute malicious code – StripeApi.Net version 50.4.10 (example), and dozens/hundreds of additional obscure versions split across many releases.
- [File hash ] Package binary integrity indicator – SHA1: 50bf5d4cf8fb4964e0e67b4cb46dacf89e7a615 (associated with StripeApi.Net 50.4.10).
- [Publisher/Owner ] NuGet account name used to appear legitimate – “StripePayments” (default NuGet profile picture noted as a distinguishing artifact).
- [Exfiltration endpoint ] Cloud backend used to receive stolen tokens – Supabase instance (investigators accessed the Supabase DB with the attackers’ API key and found only a test entry, no real tokens).
Read more: https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe