Back to Feed
Supply ChainJul 9, 2026

Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials

Malicious Braintree.Net NuGet package steals credit cards and merchant API credentials.

Summary

Socket's threat research team discovered a sophisticated typosquat NuGet package named Braintree.Net that masquerades as PayPal's official Braintree SDK. The multi-stage .NET implant intercepts live payment card data (PAN, CVV, expiration), harvests Braintree merchant API keys, and exfiltrates host environment secrets and configuration files through attacker-controlled infrastructure at api.348672-shakepay[.]com. Despite ~334 genuine installs across malicious versions 3.35.8–3.36.1, the attacker artificially inflated download metrics to ~14M by publishing 120 empty placeholder versions.

Full text

Security News/ResearchCompromised Injective SDK npm Package Exfiltrates Wallet Keys and MnemonicsCompromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.By Karlo Zanki - Jul 09, 2026

Indicators of Compromise

  • domain — api.348672-shakepay.com
  • url — https://api.348672-shakepay.com/api/card
  • url — https://api.348672-shakepay.com/api/account
  • url — https://api.348672-shakepay.com/api/analytics/report
  • hash_sha256 — 7a9f19ed663c1d4ee259ba0a10e93e1c9770812ce81f8c945140a452d17cb3c8
  • hash_sha256 — efec1e537445170a9aac11781c597cba5bd5d25b79ac3d65467d84f109d86fd4
  • malware — Braintree.Net (NuGet package)
  • malware — DependencyInjector.Core (NuGet package)

Entities

PayPal (vendor)Braintree (product)Braintree.Net (product)DependencyInjector.Core (product)SipNet (product)NuGet (technology)