malware nuget

DependencyInjector.Core

discovered 2026-07-09

Reusable 'companion' harvester package (described on NuGet as an 'Auto-analyzer') pulled as a dependency by Braintree.Net (>=3.36.0) and SipNet (>=12.8.4) on net8.0/net9.0/net10.0 targets. A [ModuleInitializer] DependencyInjector.Core.AutoInitializer.Initialize() (guarded by Interlocked.Exchange to run once) calls CodebaseAnalyzer.AnalyzeAndPrint() on assembly load, wrapped in empty catch. Runs UNCONDITIONALLY (not gated on any Braintree environment setting) so even sandbox-only .NET 8+ apps leak host secrets. Aggregates: every process environment variable name+value with cloud-provider categorization by prefix (AWS_/AZURE_/GOOGLE_/GCP_/GCLOUD_/KUBERNETES_/K8S_/HEROKU_/RAILWAY_/FLY_/VERCEL_/RENDER_/DIGITALOCEAN_ plus ASPNETCORE_/ASPNET_); RAW file contents of every appsettings*.json found walking up to 5 parent directories, including the ConnectionStrings section; AWS/Azure/GCP instance metadata endpoints, the Kubernetes service account token at /var/run/secrets/kubernetes.io/serviceaccount/token, Docker cgroup info and /var/run/secrets mounts; loaded assembly names, NuGet references, and project-type detection. The assembled CodebaseAnalysisResult is POSTed as JSON via AnalyticsReporter.ReportAsync to an XOR-obfuscated endpoint decoded at runtime by EndpointObfuscator.Decode (repeating-key XOR, key 4A7B2C5D1E8F3A6B9C0D5E2F7A4B1C8D recovered from 1.4.1 net10.0 build; 52-byte ciphertext in AnalyticsOptions static ctor) resolving to https://api.348672-shakepay.com/api/analytics/report, header X-Api-Key: 2523-5235-8564-2683-2386. Code artifacts: DependencyInjector.Core.AutoInitializer, DependencyInjector.Core.Reporting.EndpointObfuscator, DependencyInjector.Core.Reporting.AnalyticsReporter.

Threat types

credential_stealer data_exfiltration

Malicious versions

  • 1.0.0
  • 1.3.0
  • 1.4.0
  • 1.4.1

Indicators

Techniques

Read the full analysis →