[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant-credential-mrfnxf1w":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":18,"article_ids":19,"ioc_summary":21,"source_urls":22,"status":24,"expires_at":25,"created_at":26,"updated_at":27,"articles":28},"19d3c9cf-1ee2-4202-866a-8fa1a30131b7","Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials","fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant-credential-mrfnxf1w","A typosquat NuGet package named Braintree.Net impersonates PayPal's official Braintree SDK and contains a multi-stage .NET implant that steals payment card data (PAN, CVV, expiration dates), harvests merchant API credentials, and exfiltrates environment secrets. At least 334 developers installed malicious versions 3.35.8-3.36.1. Any .NET application using this package is compromised and actively leaking sensitive payment and authentication data to attacker infrastructure.","critical","advisory",[],[13,14,15,16,17],"PayPal","Braintree","Braintree.Net","DependencyInjector.Core","SipNet","Immediately audit your .NET dependency manifests (packages.config, .csproj) for Braintree.Net package. If found, assume breach: isolate affected systems, revoke all Braintree merchant API keys, rotate secrets\u002Fcredentials, monitor associated payment processor accounts for fraud, and notify downstream customers. Hunt for api.348672-shakepay[.]com DNS\u002FHTTP traffic and child processes spawned by dotnet.exe or csc.exe.",[20],"01125c68-95a4-43d9-8ea5-73a81de2ae19",null,[23],"https:\u002F\u002Fsocket.dev\u002Fblog\u002Fbraintree-nuget-typosquat-skims-credit-cards?utm_medium=feed","active","2026-07-13T01:05:12.662+00:00","2026-07-11T01:05:16.225359+00:00","2026-07-11T01:08:44.590591+00:00",[29],{"id":20,"title":6,"url":23}]