A malicious package impersonating a Stripe payments library was uploaded to the NuGet Gallery on February 16, 2026 and recorded more than 180,000 downloads split across 506 versions, researchers reported in a technical analysis by ReversingLabs
KEY FACTS
- Incident Malicious NuGet package impersonating a payments library
- Upload date February 16, 2026
- Downloads More than 180,000 across 506 versions
- Target Stripe.net library
The package was published by an account named StripePayments. It was removed after discovery and before it could cause widespread damage according to the timeline in the analysis.
The NuGet page was crafted to resemble the legitimate package, reusing the same icon and a nearly identical readme with only minor name changes. The actor also split and inflated downloads across many versions to create a false impression of legitimate use.
The malicious code replicated much of the legitimate library while modifying critical methods to collect and transfer sensitive data, including Stripe API tokens, back to the actor. Applications using the package would continue to function and process payments while tokens were being copied in the background.
WHY IT MATTERS
Typosquatting in package repositories can enable silent data exfiltration while software appears to work normally. Developers and maintainers should verify package provenance and limit exposure of API tokens and secrets.