Back to advisories

Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials

A typosquat NuGet package named Braintree.Net impersonates PayPal's official Braintree SDK and contains a multi-stage .NET implant that steals payment card data (PAN, CVV, expiration dates), harvests merchant API credentials, and exfiltrates environment secrets. At least 334 developers installed malicious versions 3.35.8-3.36.1. Any .NET application using this package is compromised and actively leaking sensitive payment and authentication data to attacker infrastructure.

CRITICALAdvisoryJul 11, 2026
Action required
Immediately audit your .NET dependency manifests (packages.config, .csproj) for Braintree.Net package. If found, assume breach: isolate affected systems, revoke all Braintree merchant API keys, rotate secrets/credentials, monitor associated payment processor accounts for fraud, and notify downstream customers. Hunt for api.348672-shakepay[.]com DNS/HTTP traffic and child processes spawned by dotnet.exe or csc.exe.
Affected products
PayPalBraintreeBraintree.NetDependencyInjector.CoreSipNet