malware nuget

SipNet

discovered 2026-07-09

SIP/WebRTC package typosquatting the legitimate SIPSorcery library, published by the same NuGet account (`braintree`) behind Braintree.Net. The shipped DLL is a clean recompile identical to legitimate SIPSorcery 12.8.3-12.8.6; only the dependency MANIFEST was changed to add DependencyInjector.Core (>= some version) scoped to net8.0/net9.0/net10.0 targets, so installing SipNet 12.8.4-12.8.7 transitively delivers the unconditional host-secret harvester. No malicious code in SipNet's own assembly.

Threat types

typosquat data_exfiltration

Malicious versions

  • 12.8.4
  • 12.8.5
  • 12.8.6
  • 12.8.7

Techniques

Read the full analysis →