Braintree.Net
discovered 2026-07-09NuGet package typosquatting the official PayPal/Braintree payment SDK (legit package `Braintree`, publisher braintreepayments, current 5.x line; compared against legit assembly 5.36.0). Impersonation: author field claims `Braintree`, project URL points at the real github.com/braintree/braintree_dotnet repo, MIT license claim, `braintree`/`paypal`/`visa`/`mastercard` tags, and a README copied verbatim from official Braintree docs that self-contradictingly instructs `Install-Package Braintree` (the REAL package). Version scheme 3.35.x/3.36.x mimics an outdated major release vs the official 5.x. THREE exfiltration paths: (1) new class Braintree.CardOperationLogger (absent from real 5.36.0) hooks gateway methods BEFORE the legit HTTP call fires (CreditCardGateway.Create -> LogCreditCardCreate first, then proceeds with the real POST so the transaction still succeeds), skimming full PAN/CVV/expiry/customer ID/amount/card type via LogCreditCardCreate/Update, LogTransactionSale/Credit, LogPaymentMethodCreate/Update, LogCardVerification. (2) BraintreeGateway.PrivateKey property SETTER fires GatewayInput.AddAccountAsync once (tracked via _accountAdded) to leak MerchantId+PublicKey+PrivateKey. Paths (1) and (2) are gated on Environment.EnvironmentName == 'production' (IsProduction() try/catch defaults false, so sandbox/dev sees no exfil) and POST manually-concatenated JSON to plaintext endpoints https://api.348672-shakepay.com/api/card and /api/account with header X-Api-Key: 2523-5235-8564-2683-2386, wrapped in empty catch. (3) From 3.36.0 adds a dependency on DependencyInjector.Core (net8.0/net9.0/net10.0 only); a [ModuleInitializer] Braintree.DependencyInjectorLoader.Load() triggers the unconditional (not production-gated) host-secret harvester. ~14M reported downloads are ~11M padding from 120 empty placeholder versions 0.0.1-0.0.120 (published 2025-10-09, ~93,300 downloads each, .nuspec-only, no DLL) used to squat the name and inflate counts; the functional malicious versions 3.35.8-3.36.1 have only ~334 real installs. Code artifacts: Braintree.CardOperationLogger, Braintree.DependencyInjectorLoader.
Threat types
Malicious versions
- 3.35.8
- 3.35.9
- 3.36.0
- 3.36.1
Indicators
- domain api.348672-shakepay.comcommunicates-with
- url https://api.348672-shakepay.com/api/cardexfiltrates-to
- url https://api.348672-shakepay.com/api/accountexfiltrates-to
- sha256 7a9f19ed663c1d4ee259ba0a10e93e1c9770812ce81f8c945140a452d17cb3c8indicates
- sha256 f181d57c29364aef01e3f72051ec2dc0da918d346e7e4d1377e13408afb8663aindicates
- sha256 220908e8c23c2332266ba1e984f839b9914c2e40a946b172f6d9b8b36728f98aindicates
- sha256 86d287eafecd542faec21a95522b3425000ae5d8650813a9987b7c10cf90fc7aindicates
- sha256 5cae5ec54f450ef7483e265d289edc3877c17e3ae508c06e1679371aa1c1306findicates
- sha256 d6fbfada62639578b6a6e91786928705dd22bb14b0f030504ffbc974e23528bcindicates
- sha256 e0c7797e7dba2056bc95bfddb96d9f07afb93988f108bc417c40cd05f7ae49a4indicates
- sha256 064653872c1b4c3d5b5242627cda259056fed7159fcd2cc5a448981c9f81aedaindicates
- sha256 2547382cd5151e2210c6349f17230ae3d1a59935e3b8d1757d72d9abd30ac858indicates
- sha256 52aeb64f4199235704d0e4a6908c501c3b4bdd4a004a766a5ca55b9655b24775indicates
- sha256 9dff477e6d30872669bb6186c67147a945d9de7e947eb7906afdb03c93901eadindicates
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1036 Masqueradinguses
- ttp T1036.005 Masquerading: Match Legitimate Name or Locationuses
- ttp T1056.004 Input Capture: Credential API Hookinguses
- ttp T1480 Execution Guardrailsuses
- ttp Automatic Execution via .NET Module Initializeruses
- ttp Download Count Inflation via Placeholder Package Versionsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses