Malicious NuGet package mimics Braintree SDK to skim card data
Security researchers have identified a malicious NuGet package that mimics the Braintree payment SDK to steal credit card data and exfiltrate merchant credentials. The package specifically targets developers by harvesting environment secrets and Kubernetes tokens, posing a significant supply chain security risk for streaming and WebRTC applications.
Key Takeaways
- Malicious package mimics Braintree SDK by catching setting of the BraintreeGateway.PrivateKey property to harvest merchant credentials.
- Integrated Braintree.CardOperationLogger class intercepts full payment card data (PAN, CVV, expiry) before legitimate transactions occur.
- DependencyInjector.Core sub-package probes host environments for high-value secrets, including cloud metadata and Kubernetes service account tokens.
- Attacker infrastructure utilized XOR-encoded C2 endpoints and inflated download counts via empty versions to evade standard analysis.
- Targets specifically included developers of Sip and WebRTC applications, creating a direct supply chain threat to video communication stacks.
Why It Matters
This incident represents a sophisticated escalation in supply chain targeting for the streaming industry. By compromising the payment gateway client, attackers gain direct access to the revenue flow and critical infrastructure secrets of video platforms. For architects, this highlights that traditional perimeter security is ineffective against malicious code executing within trusted development environments or CI/CD pipelines. The harvesting of Kubernetes tokens suggests a pivot toward long-term persistence in containerized streaming architectures. Organizations must immediately audit NuGet dependencies and rotate any merchant credentials that may have been exposed through the Braintree.Net library. Watch for updated guidance from NuGet following the formal request for publisher suspension.
Additional Context
The Braintree incident mirrors a massive surge in software supply chain attacks throughout 2026. Per Sonatype, the first quarter of 2026 alone saw over 21,000 malicious packages identified across major registries like NuGet, npm, and PyPI—a rate of one every six minutes. Many of these campaigns, such as the 'Megalodon' attack reported by CISA in May 2026, have moved beyond simple credit card skimming to focus on harvesting CI/CD secrets and cloud credentials. These high-consequence threats enable attackers to move laterally from a developer's workstation into the broader production environment, including core financial and cloud systems. This trend coincides with the enforcement of PCI DSS v4.0, which became mandatory in March 2025. Per Anchore (April 2025), the updated standard requires enterprises to maintain comprehensive Software Bill of Materials (SBOM) inventories to defend against exactly these types of third-party compromises. The standard also expanded the scope of compliance to include any SaaS provider that can impact account data, even if they do not directly process payments. The fact that the Braintree.Net implant could silently fail during network errors while continuing to harvest data underscores the difficulty of detection under traditional monitoring. Furthermore, researchers from Palo Alto Networks (June 2026) noted that supply chain attacks have moved into a 'high-consequence' phase, driven by the weaponization of maintainer trust and automated propagation. Recent incidents involving threat groups like TeamPCP have successfully backdoored widely used tools such as Trivy and Axios. For streaming and real-time communication developers, this environments are now high-value targets due to the combination of sensitive payment information and the heavy use of containerized orchestration like Kubernetes, which saw a 282% increase in token-harvesting attempts over the past year.
Read full article at x.com
Enjoy our coverage?
Add StreamingMeme as a preferred source on Google to see more of our streaming news at the top of your Search results.
Add as preferred source