Braintree.Net NuGet typosquat skims cards and merchant credentials

Confirmed
Discovered Jul 9, 2026

A fake Braintree-compatible NuGet package used production-only payment hooks and a companion module initializer to steal card and host secrets.

13
Affected Packages
6
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
Braintree.Net, Braintree.Net, Braintree.Net, Braintree.Net
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
Braintree[.]dll
DependencyInjector[.]Core[.]dll
172[.]67[.]188[.]32
104[.]21[.]89[.]51
api[.]348672-shakepay[.]com

Analysis

Executive Summary

A fake Braintree-compatible NuGet package used production-only payment hooks and a companion module initializer to steal card and host secrets. The cited researchers identify the execution trigger as .NET module initialization, production gateway configuration, and payment API calls and the observed behavior as: intercepts PAN/CVV, steals Braintree merchant keys, and harvests environment, config, cloud, and container secrets. [1]

Responders should treat a matching malicious version as exposure and seek execution or egress evidence before asserting data theft. Secrets at risk include payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens. No public victim count is treated as verified. [1]

Key Facts

Analysis table
FactValue
Affected artifactsBraintree.Net, DependencyInjector.Core, SipNet, SipNet.OpenAI.Realtime
Ecosystemnuget
Malicious versionsBraintree.Net@3.35.8, Braintree.Net@3.35.9, Braintree.Net@3.36.0, Braintree.Net@3.36.1, DependencyInjector.Core@1.0.0, DependencyInjector.Core@1.3.0, DependencyInjector.Core@1.4.0, DependencyInjector.Core@1.4.1, SipNet@12.8.4, SipNet@12.8.5, SipNet@12.8.6, SipNet@12.8.7; conditional transitive exposure: SipNet.OpenAI.Realtime@12.8.3
Disclosure2026-07-09
Verified recovery directionreplace Braintree.Net with official Braintree package; verify every companion dependency separately

Evidence Assessment

Analysis table
AssessmentClaimEvidence
ConfirmedListed package versions carried or transitively resolved malicious code.Static package analysis and version comparison by the cited researchers. [1]
ConfirmedTrigger: .NET module initialization, production gateway configuration, and payment API calls.Source-level or compiled-artifact analysis. [1]
Confirmedintercepts PAN/CVV, steals Braintree merchant keys, and harvests environment, config, cloud, and container secrets.Decompiled/static analysis and reported telemetry where available. [1]
UnclearNumber of affected organizations or successful thefts.Neither source establishes a verified victim count.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceActionClosure gate
ExposureMalicious selector in a lockfile, cache, or inventoryPreserve dependency graph and cache metadataIsolate affected workload and determine whether trigger ranEvery matching host classified
Likely executionInstall/load logs or files align with the triggerProcess, file, CI, application, and egress timelineRebuild and rotate reachable secretsNegative rescan and completed rotations
Confirmed compromiseIOC egress, payload hash, or theft/abuse evidenceProxy/EDR evidence with UTC timestampsIncident response and downstream abuse reviewAbuse review, recovery monitoring, and evidence sign-off

Minimum Evidence To Collect

  • Dependency evidence: preserve lockfiles, SBOMs, package-manager caches, and CI restore/install logs; they identify exact versions and resolve exposure classification.
  • Execution evidence: collect EDR process/file events and application or assembly-load logs around dependency use; they determine whether .NET module initialization, production gateway configuration, and payment API calls occurred.
  • Network evidence: retain DNS, proxy, firewall, and TLS metadata for api.348672-shakepay.com, 104.21.89.51, 172.67.188.32; a matching outbound event materially raises confidence.
  • Identity evidence: export audit logs for identities holding payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens; these decide credential rotation scope and whether downstream abuse occurred.

Timeline

  • 2026-07-09 (UTC; exact time varies by artifact): malicious publication/discovery activity documented by the cited researchers. [1]
  • 2026-07-09: public technical reporting and defensive guidance published. [1]
  • Current registry removal status: unknown after this source-only review; validate through metadata-only registry queries before publication.

What Happened

The incident abused trusted package distribution or a deceptive package identity to deliver code that looked compatible with expected developer workflows. It then used .NET module initialization, production gateway configuration, and payment API calls to activate and intercepts PAN/CVV, steals Braintree merchant keys, and harvests environment, config, cloud, and container secrets. [1]

Initial Access

The affected artifacts were distributed through nuget package channels. This folder does not infer an actor identity beyond source-supported account or publishing-path facts. [1]

Execution Trigger

.net module initialization, production gateway configuration, and payment api calls. [1]

Payload Behavior

The observed payload intercepts PAN/CVV, steals Braintree merchant keys, and harvests environment, config, cloud, and container secrets. [1]

Credential or Data Collection

The defensible exposure set is payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens. Rotate only after preserving evidence and mapping which secrets were available to the affected process. [1]

Defense Evasion

The source reporting describes deceptive naming, silent failure, obfuscation, or trigger placement intended to reduce discovery. Do not generalize beyond the specific files and selectors in this packet. [1]

Exfiltration and Command and Control

Observed network selectors are api.348672-shakepay.com, 104.21.89.51, 172.67.188.32. Human-readable prose is defanged where shown; raw values remain in iocs.json. [1]

Affected Assets and Blast Radius

Analysis table
AssetExposure pathPriority
Developer workstationsdependency installed, imported, or loadedHigh
CI/build runnerspackage restore plus secrets in job contextCritical
Production applicationsruntime trigger or assembly useCritical
Downstream identitiessecrets reachable by affected processCritical

Indicators of Compromise

Analysis table
TypeValues
Package versionsBraintree.Net@3.35.8, Braintree.Net@3.35.9, Braintree.Net@3.36.0, Braintree.Net@3.36.1, DependencyInjector.Core@1.0.0, DependencyInjector.Core@1.3.0, DependencyInjector.Core@1.4.0, DependencyInjector.Core@1.4.1, SipNet@12.8.4, SipNet@12.8.5, SipNet@12.8.6, SipNet@12.8.7; conditional transitive exposure: SipNet.OpenAI.Realtime@12.8.3
FilesBraintree.dll, DependencyInjector.Core.dll
Domains (defanged)api[.]348672-shakepay[.]com
IPs (defanged)104[.]21[.]89[.]51, 172[.]67[.]188[.]32
SHA-256See source; no compact hash set included here

Detection and Hunting

Run scripts/hunt.py opens in a new tab against exported lockfiles, SBOMs, restore/install logs, proxy/DNS logs, or file inventories. It answers whether exact package versions, file selectors, hashes, domains, or IPs are present. A match is a triage lead; package-only matches may be false positives from documentation or cleanly quarantined caches. Escalate by preserving the matching record and correlating it with process and identity audit logs.

Downstream Abuse Audits

Review source-control, registry, cloud, payment, wallet, and CI identity logs only where the affected process could access those services. Search from the earliest package acquisition through credential rotation for new tokens, unusual sessions, publishing, transaction changes, secret reads, and deployment activity. The reason is specific: the payload targeted payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens. [1]

Remediation and Recovery Gates

  1. Preserve lockfiles, caches, process/file telemetry, and egress evidence before cleanup.
  2. Stop package execution and isolate hosts with runtime or egress evidence.
  3. Remove the listed versions and invalidate internal caches.
  4. Rotate payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens from a clean host, prioritizing secrets present during execution.
  5. Rebuild likely or confirmed hosts from verified images rather than trusting package removal alone.
  6. Apply the recovery direction: replace Braintree.Net with official Braintree package; verify every companion dependency separately.
  7. Audit downstream identity and transaction activity from first exposure through rotation.
  8. Rescan lockfiles, caches, files, and egress exports with the tested hunter.
  9. Close only after every exposed host is classified, required rotations and abuse reviews are complete, and post-recovery monitoring is clean.

Open Questions

  • How many organizations actually executed the malicious code?
  • Is additional attacker infrastructure or campaign-linked packaging still active?
  • What is the current registry availability/deprecation status of every listed version?

Timeline

7 of 7 rows

Timeline
DateEventDescriptionSource
Invalid DateMalicious publish timeMalicious publish time recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Invalid DateRemovalRemoval recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Jul 9, 2026First seenFirst seen recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Jul 9, 2026DiscoveryDiscovery recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Jul 9, 2026DisclosureDisclosure recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Invalid DatePatch or fixPatch or fix recorded for Braintree.Net NuGet typosquat skims cards and merchant credentials.Socket
Jul 9, 2026Braintree.Net NuGet typosquat skims cards and merchant credentialsUnknownSocket

Affected Software

13 of 13 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
Braintree.NetNuGet3.35.8Malicious90%Socket
Braintree.NetNuGet3.35.9Malicious90%Socket
Braintree.NetNuGet3.36.0Malicious90%Socket
Braintree.NetNuGet3.36.1Malicious90%Socket
DependencyInjector.CoreNuGet1.0.0Malicious90%Socket
DependencyInjector.CoreNuGet1.3.0Malicious90%Socket
DependencyInjector.CoreNuGet1.4.0Malicious90%Socket
DependencyInjector.CoreNuGet1.4.1Malicious90%Socket
SipNetNuGet12.8.4Malicious90%Socket
SipNetNuGet12.8.5Malicious90%Socket
SipNetNuGet12.8.6Malicious90%Socket
SipNetNuGet12.8.7Malicious90%Socket
SipNet.OpenAI.RealtimeNuGet12.8.3Malicious90%Socket

IOC Clipboard

6 IOCs
file_pathBraintree.dll
file_pathDependencyInjector.Core.dll
ip172.67.188.32
ip104.21.89.51
network_patternapi.348672-shakepay.com
domainapi.348672-shakepay.com

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Braintree.Net NuGet typosquat skims cards and merchant credentials evidence scopePythonDo exported dependency, file, or network records contain incident-specific selectors?scripts/hunt.py opens in a new tabSocket

Hunt Manifest: Braintree.Net NuGet typosquat skims cards and merchant credentials evidence scope

Title
Braintree.Net NuGet typosquat skims cards and merchant credentials evidence scope
Question
Do exported dependency, file, or network records contain incident-specific selectors?
Telemetry Family
Python
Repository
scripts/hunt.py
Show tested hunting scriptscripts/hunt.py
scripts/hunt.py opens in a new tabPython
#!/usr/bin/env python3
"""Read-only IOC scanner for exported text/CSV/JSON evidence. Never installs packages."""
import argparse,json,re,sys
IOCS={'packages': ['Braintree.Net', 'DependencyInjector.Core', 'SipNet', 'SipNet.OpenAI.Realtime'], 'versions': ['Braintree.Net@3.35.8', 'Braintree.Net@3.35.9', 'Braintree.Net@3.36.0', 'Braintree.Net@3.36.1', 'DependencyInjector.Core@1.0.0', 'DependencyInjector.Core@1.3.0', 'DependencyInjector.Core@1.4.0', 'DependencyInjector.Core@1.4.1', 'SipNet@12.8.4', 'SipNet@12.8.5', 'SipNet@12.8.6', 'SipNet@12.8.7', 'SipNet.OpenAI.Realtime@12.8.3'], 'files': ['Braintree.dll', 'DependencyInjector.Core.dll'], 'domains': ['api.348672-shakepay.com'], 'ips': ['104.21.89.51', '172.67.188.32'], 'hashes': []}
def scan(path):
 try:
  text=path.read_text(errors="replace").lower()
 except OSError:
  return []
 hits=[]
 for kind,vals in IOCS.items():
  for value in vals:
   if value.lower() in text: hits.append({"type":kind,"value":value,"path":str(path)})
 return hits
def main():
 from pathlib import Path
 ap=argparse.ArgumentParser(); ap.add_argument("paths",nargs="+"); ap.add_argument("--json",action="store_true"); a=ap.parse_args(); hits=[]
 for raw in a.paths:
  p=Path(raw)
  if p.is_file(): hits += scan(p)
  elif p.is_dir():
   for f in p.rglob("*"):
    if f.is_file(): hits += scan(f)
 if a.json: print(json.dumps({"hits":hits},indent=2))
 else:
  for h in hits: print(f"{h['type']}\t{h['value']}\t{h['path']}")
 return 2 if hits else 0
if __name__=="__main__": raise SystemExit(main())

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
SocketVendor95%1A fake Braintree-compatible NuGet package used production-only payment hooks and a companion module initializer to steal card and host secrets.