Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials

    Date: 07/14/2026

    Severity: High

    Summary

    Researchers identified a malicious NuGet supply-chain campaign using Braintree.Net, a typosquat of the legitimate Braintree payment SDK. The package silently intercepts live payment-card data, steals Braintree merchant API credentials, and harvests environment, configuration, and cloud-related secrets while allowing normal payment operations to continue. The malicious behavior primarily targets production environments and exfiltrates stolen data to attacker-controlled infrastructure; additional packages such as DependencyInjector.Core were also involved in the campaign. 

    Indicators of Compromise (IOC) List

    Domain/Urls

    https://api.348672-shakepay.com/api/card

    https://api.348672-shakepay.com/api/account

    https://api.348672-shakepay.com/api/analytics/report

    Hash

    7a9f19ed663c1d4ee259ba0a10e93e1c9770812ce81f8c945140a452d17cb3c8

    f181d57c29364aef01e3f72051ec2dc0da918d346e7e4d1377e13408afb8663a

    220908e8c23c2332266ba1e984f839b9914c2e40a946b172f6d9b8b36728f98a

    86d287eafecd542faec21a95522b3425000ae5d8650813a9987b7c10cf90fc7a

    5cae5ec54f450ef7483e265d289edc3877c17e3ae508c06e1679371aa1c1306f

    d6fbfada62639578b6a6e91786928705dd22bb14b0f030504ffbc974e23528bc

    e0c7797e7dba2056bc95bfddb96d9f07afb93988f108bc417c40cd05f7ae49a4

    064653872c1b4c3d5b5242627cda259056fed7159fcd2cc5a448981c9f81aeda

    2547382cd5151e2210c6349f17230ae3d1a59935e3b8d1757d72d9abd30ac858

    52aeb64f4199235704d0e4a6908c501c3b4bdd4a004a766a5ca55b9655b24775

    9dff477e6d30872669bb6186c67147a945d9de7e947eb7906afdb03c93901ead

    efec1e537445170a9aac11781c597cba5bd5d25b79ac3d65467d84f109d86fd4

    7c30f007af910886b46f6022dd724dd303ad2d5f983376d0547293f484d6ae71

    9d8d79000f6413668429d851f7d8ce94cd1b61c3a421939cf34cec8d668f5388

    c9564621abec9bdb7ceb38bb1a2895a119772b7f830351272c13a3f4cd606b97

    f53359313ce9a9433651202a7ffbf155dc1379103796a45492a50edbf044d59d

    b4a5bcf4ce8c9cc844c06f436d4c26b28cb408f7e4fd8990681336445493acc1

    531302fe3b8a8624aa468ee83707448fbd1db2eaa3f8d587331db2b17890f8ad

    bfdaf869a3956b37bf416dcdafdad314e8de0215cfd8fd8b2bc7a4e5cd15a349

    5138ea25563be4ae8143b7a46c6bc42af00344678e6d4451ac596b5b5587c70e

    eceab1132aacd803962fa173d1b2c43e225fcfa8b5d26d3efadad1b4de33d8ec

    de6384e853dfc007205abb7b15b49eded2e3e977058600dece2c2e9190a5191a

    c3be125753aea85728a082823db77d833377d7e3eb199364aa49d1ff2535f53e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://api.348672-shakepay.com/api/card" or url like "https://api.348672-shakepay.com/api/card" or siteurl like "https://api.348672-shakepay.com/api/card" or domainname like "https://api.348672-shakepay.com/api/account" or url like "https://api.348672-shakepay.com/api/account" or siteurl like "https://api.348672-shakepay.com/api/account" or domainname like "https://api.348672-shakepay.com/api/analytics/report" or url like "https://api.348672-shakepay.com/api/analytics/report" or siteurl like "https://api.348672-shakepay.com/api/analytics/report"

    Detection Query 2 :

    sha256hash IN ("b4a5bcf4ce8c9cc844c06f436d4c26b28cb408f7e4fd8990681336445493acc1","e0c7797e7dba2056bc95bfddb96d9f07afb93988f108bc417c40cd05f7ae49a4","de6384e853dfc007205abb7b15b49eded2e3e977058600dece2c2e9190a5191a","d6fbfada62639578b6a6e91786928705dd22bb14b0f030504ffbc974e23528bc","f181d57c29364aef01e3f72051ec2dc0da918d346e7e4d1377e13408afb8663a","220908e8c23c2332266ba1e984f839b9914c2e40a946b172f6d9b8b36728f98a","5cae5ec54f450ef7483e265d289edc3877c17e3ae508c06e1679371aa1c1306f","eceab1132aacd803962fa173d1b2c43e225fcfa8b5d26d3efadad1b4de33d8ec","9dff477e6d30872669bb6186c67147a945d9de7e947eb7906afdb03c93901ead","c9564621abec9bdb7ceb38bb1a2895a119772b7f830351272c13a3f4cd606b97","86d287eafecd542faec21a95522b3425000ae5d8650813a9987b7c10cf90fc7a","9d8d79000f6413668429d851f7d8ce94cd1b61c3a421939cf34cec8d668f5388","7c30f007af910886b46f6022dd724dd303ad2d5f983376d0547293f484d6ae71","2547382cd5151e2210c6349f17230ae3d1a59935e3b8d1757d72d9abd30ac858","5138ea25563be4ae8143b7a46c6bc42af00344678e6d4451ac596b5b5587c70e","7a9f19ed663c1d4ee259ba0a10e93e1c9770812ce81f8c945140a452d17cb3c8","52aeb64f4199235704d0e4a6908c501c3b4bdd4a004a766a5ca55b9655b24775","c3be125753aea85728a082823db77d833377d7e3eb199364aa49d1ff2535f53e","efec1e537445170a9aac11781c597cba5bd5d25b79ac3d65467d84f109d86fd4","bfdaf869a3956b37bf416dcdafdad314e8de0215cfd8fd8b2bc7a4e5cd15a349","531302fe3b8a8624aa468ee83707448fbd1db2eaa3f8d587331db2b17890f8ad","f53359313ce9a9433651202a7ffbf155dc1379103796a45492a50edbf044d59d","064653872c1b4c3d5b5242627cda259056fed7159fcd2cc5a448981c9f81aeda")

    Reference: 

    https://socket.dev/blog/braintree-nuget-typosquat-skims-credit-cards 


    Tags

    MalwareSupply chain attackCredential HarvestingcryptocurrencyCloud InfrastructureExfiltrationStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags