Executive Summary
A fake Braintree-compatible NuGet package used production-only payment hooks and a companion module initializer to steal card and host secrets. The cited researchers identify the execution trigger as .NET module initialization, production gateway configuration, and payment API calls and the observed behavior as: intercepts PAN/CVV, steals Braintree merchant keys, and harvests environment, config, cloud, and container secrets. [1]
Responders should treat a matching malicious version as exposure and seek execution or egress evidence before asserting data theft. Secrets at risk include payment card data, Braintree merchant credentials, connection strings, cloud credentials, and CI tokens. No public victim count is treated as verified. [1]