Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials
Malicious Braintree.Net NuGet package steals credit cards and merchant API credentials.
Summary
Socket's threat research team discovered a sophisticated typosquat NuGet package named Braintree.Net that masquerades as PayPal's official Braintree SDK. The multi-stage .NET implant intercepts live payment card data (PAN, CVV, expiration), harvests Braintree merchant API keys, and exfiltrates host environment secrets and configuration files through attacker-controlled infrastructure at api.348672-shakepay[.]com. Despite ~334 genuine installs across malicious versions 3.35.8–3.36.1, the attacker artificially inflated download metrics to ~14M by publishing 120 empty placeholder versions.
Full text
Security News/ResearchCompromised Injective SDK npm Package Exfiltrates Wallet Keys and MnemonicsCompromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.By Karlo Zanki - Jul 09, 2026
Indicators of Compromise
- domain — api.348672-shakepay.com
- url — https://api.348672-shakepay.com/api/card
- url — https://api.348672-shakepay.com/api/account
- url — https://api.348672-shakepay.com/api/analytics/report
- hash_sha256 — 7a9f19ed663c1d4ee259ba0a10e93e1c9770812ce81f8c945140a452d17cb3c8
- hash_sha256 — efec1e537445170a9aac11781c597cba5bd5d25b79ac3d65467d84f109d86fd4
- malware — Braintree.Net (NuGet package)
- malware — DependencyInjector.Core (NuGet package)