DependencyInjector.Core
discovered 2026-07-09Reusable 'companion' harvester package (described on NuGet as an 'Auto-analyzer') pulled as a dependency by Braintree.Net (>=3.36.0) and SipNet (>=12.8.4) on net8.0/net9.0/net10.0 targets. A [ModuleInitializer] DependencyInjector.Core.AutoInitializer.Initialize() (guarded by Interlocked.Exchange to run once) calls CodebaseAnalyzer.AnalyzeAndPrint() on assembly load, wrapped in empty catch. Runs UNCONDITIONALLY (not gated on any Braintree environment setting) so even sandbox-only .NET 8+ apps leak host secrets. Aggregates: every process environment variable name+value with cloud-provider categorization by prefix (AWS_/AZURE_/GOOGLE_/GCP_/GCLOUD_/KUBERNETES_/K8S_/HEROKU_/RAILWAY_/FLY_/VERCEL_/RENDER_/DIGITALOCEAN_ plus ASPNETCORE_/ASPNET_); RAW file contents of every appsettings*.json found walking up to 5 parent directories, including the ConnectionStrings section; AWS/Azure/GCP instance metadata endpoints, the Kubernetes service account token at /var/run/secrets/kubernetes.io/serviceaccount/token, Docker cgroup info and /var/run/secrets mounts; loaded assembly names, NuGet references, and project-type detection. The assembled CodebaseAnalysisResult is POSTed as JSON via AnalyticsReporter.ReportAsync to an XOR-obfuscated endpoint decoded at runtime by EndpointObfuscator.Decode (repeating-key XOR, key 4A7B2C5D1E8F3A6B9C0D5E2F7A4B1C8D recovered from 1.4.1 net10.0 build; 52-byte ciphertext in AnalyticsOptions static ctor) resolving to https://api.348672-shakepay.com/api/analytics/report, header X-Api-Key: 2523-5235-8564-2683-2386. Code artifacts: DependencyInjector.Core.AutoInitializer, DependencyInjector.Core.Reporting.EndpointObfuscator, DependencyInjector.Core.Reporting.AnalyticsReporter.
Threat types
Malicious versions
- 1.0.0
- 1.3.0
- 1.4.0
- 1.4.1
Indicators
- domain api.348672-shakepay.comcommunicates-with
- url https://api.348672-shakepay.com/api/analytics/reportexfiltrates-to
- sha256 efec1e537445170a9aac11781c597cba5bd5d25b79ac3d65467d84f109d86fd4indicates
- sha256 7c30f007af910886b46f6022dd724dd303ad2d5f983376d0547293f484d6ae71indicates
- sha256 9d8d79000f6413668429d851f7d8ce94cd1b61c3a421939cf34cec8d668f5388indicates
- sha256 c9564621abec9bdb7ceb38bb1a2895a119772b7f830351272c13a3f4cd606b97indicates
- sha256 f53359313ce9a9433651202a7ffbf155dc1379103796a45492a50edbf044d59dindicates
- sha256 b4a5bcf4ce8c9cc844c06f436d4c26b28cb408f7e4fd8990681336445493acc1indicates
- sha256 531302fe3b8a8624aa468ee83707448fbd1db2eaa3f8d587331db2b17890f8adindicates
- sha256 bfdaf869a3956b37bf416dcdafdad314e8de0215cfd8fd8b2bc7a4e5cd15a349indicates
- sha256 5138ea25563be4ae8143b7a46c6bc42af00344678e6d4451ac596b5b5587c70eindicates
- sha256 eceab1132aacd803962fa173d1b2c43e225fcfa8b5d26d3efadad1b4de33d8ecindicates
- sha256 de6384e853dfc007205abb7b15b49eded2e3e977058600dece2c2e9190a5191aindicates
- sha256 c3be125753aea85728a082823db77d833377d7e3eb199364aa49d1ff2535f53eindicates
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp Automatic Execution via .NET Module Initializeruses
- ttp T1552 Unsecured Credentialsuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses