{"id":14200,"date":"2026-07-10T10:03:34","date_gmt":"2026-07-10T10:03:34","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/10\/braintree-nuget-typosquat-uses-xor-obfuscated-c2-to-hide-environment-secret-theft\/"},"modified":"2026-07-10T10:03:34","modified_gmt":"2026-07-10T10:03:34","slug":"braintree-nuget-typosquat-uses-xor-obfuscated-c2-to-hide-environment-secret-theft","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/10\/braintree-nuget-typosquat-uses-xor-obfuscated-c2-to-hide-environment-secret-theft\/","title":{"rendered":"Braintree NuGet Typosquat Uses XOR-Obfuscated C2 to Hide Environment Secret Theft"},"content":{"rendered":"<p>    Braintree NuGet Typosquat Uses XOR-Obfuscated C2 to Hide Environment Secret Theft<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A malicious NuGet package impersonating the Braintree .NET payment library has put production payment systems at risk. <\/p>\n<p class=\"wp-block-paragraph\">The package can collect live card details during transactions, then send the data away without alerting the application or its users. It also seeks credentials that could give criminals broader access to merchant systems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Typosquatting works because a nearly identical package name can look trustworthy during a rushed dependency update. Once added to a project, the altered code runs inside the payment workflow, where it can observe sensitive information. <\/p>\n<p class=\"wp-block-paragraph\">The risk is especially serious for organizations processing real customer transactions rather than test data.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers at Socket.dev identified the malicious package while examining a campaign aimed at software supply chains.\u00a0<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/socket.dev\/blog\/braintree-nuget-typosquat-skims-credit-cards\" data-type=\"link\" data-id=\"https:\/\/socket.dev\/blog\/braintree-nuget-typosquat-skims-credit-cards\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Socket.dev\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that the implant was built to target live environments and gather both payment data and merchant secrets. Its presence turns an ordinary software dependency into a direct route for theft.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh36pvbInCq2x5r6rN7KBTLUdZnZm2CSK0ZREHwSnRmcqoy4ochNobtuXWOOpQw81ZHc9bYz_0homcmzg2VtCHYab7rwl86Qnhokxrsuwu8LkC70tzydPM4nFUNZm433uKR9wni_52D7gNSxNujSo-v5UaCHaasc5bR8TcqIylOnAsYB-aG8H1Tp6Uts4o\/s1600\/Packages%2520returned%2520for%2520Braintree%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\" alt=\"Packages returned for Braintree (Source - Socket.dev)\"><figcaption class=\"wp-element-caption\">Packages returned for Braintree (Source \u2013 Socket.dev)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The malware appears designed to remain quiet until it reaches a valuable target. That approach makes it more dangerous than a simple malicious installer because it is woven into software that handles payments. <\/p>\n<p class=\"wp-block-paragraph\">A successful compromise could expose shoppers, merchants, and the systems used to process transactions.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-braintree-nuget-typosquat-uses-xor-obfuscated-c2\" class=\"wp-block-heading\"><strong>Braintree NuGet Typosquat Uses XOR-Obfuscated C2<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The rogue package contains code that intercepts payment activity and captures information provided during card creation and other gateway operations. <\/p>\n<p class=\"wp-block-paragraph\">Instead of breaking the payment process, it attempts to blend into it. This gives attackers an opportunity to obtain data while the application continues working normally.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">It also targets merchant credentials, environment variables, and access tokens stored by applications. <\/p>\n<p class=\"wp-block-paragraph\">These values can unlock payment services, cloud accounts, databases, or other connected resources. Losing them can extend the damage well beyond a single compromised application and make follow-on attacks easier.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/cybersecuritynews.com\/researches-detailed-aurastealer-obfuscation\/\" data-type=\"post\" data-id=\"139088\" target=\"_blank\" rel=\"noreferrer noopener\">malware uses XOR obfuscation<\/a> to conceal its command-and-control, or C2, destination. <\/p>\n<p class=\"wp-block-paragraph\">XOR is a simple method of scrambling text so that readable server details are not plainly visible in the package. <\/p>\n<p class=\"wp-block-paragraph\">The technique can slow routine reviews and make suspicious network connections harder for defenders to spot.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The code checks whether it is operating in a production setting before carrying out key collection activity. <\/p>\n<p class=\"wp-block-paragraph\">This production-only gating helps attackers avoid exposing the campaign during development and testing. It also shows why organizations should not assume that a package is safe simply because it behaves normally in a sandbox.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-payment-supply-chain-risks\" class=\"wp-block-heading\"><strong>Payment Supply-Chain Risks<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The incident highlights how dependency mistakes can create a path into sensitive business systems. Developers often <a href=\"https:\/\/cybersecuritynews.com\/mistralai-pypi-package-compromised\/\" data-type=\"post\" data-id=\"149724\" target=\"_blank\" rel=\"noreferrer noopener\">trust familiar package names<\/a>, especially when a library appears to match an expected integration. <\/p>\n<p class=\"wp-block-paragraph\">Attackers take advantage of that trust by registering deceptive names that can be mistaken for the genuine dependency.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Teams that installed the affected package should remove it, examine their dependency records, and check application logs for unexpected outbound connections. <\/p>\n<p class=\"wp-block-paragraph\">They should also treat payment credentials, tokens, and secrets available to the affected application as potentially exposed. Prompt credential rotation can limit an attacker\u2019s ability to reuse stolen access.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Organizations should verify package publishers, compare package names carefully, and review unexpected changes before approving new dependencies. <\/p>\n<p class=\"wp-block-paragraph\">Lock files, controlled internal repositories, and automated checks can reduce the chance of an unreviewed package reaching production. Monitoring outbound traffic from payment applications can also reveal suspicious behavior early.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/aligning-it-and-security-teams\/\" data-type=\"post\" data-id=\"108197\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams should inspect running applications<\/a> rather than limiting their review to installation time. <\/p>\n<p class=\"wp-block-paragraph\">A dependency that appears harmless at first may activate only when it detects production conditions. Looking for unusual requests, secret access, and payment-flow changes can help uncover activity before a wider breach develops.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign is a reminder that payment applications need strong controls around both code and credentials. A single deceptive package can expose card information and merchant secrets at the same time. <\/p>\n<p class=\"wp-block-paragraph\">Careful dependency validation and rapid incident response remain essential when software supply-chain threats target financial operations.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of compromise (IoCs):-<\/strong><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/dc071d2a-a29e-4f36-9d5a-ff2f8f500775\/Braintree-NuGet-Typosquat-Uses-XOR-Obfuscated-C2-to-Hide-Environment-Secret-Theft.pdf?AWSAccessKeyId=ASIA2F3EMEYEVCYOL2FO&amp;Signature=hvNVDUKI9IWAHeMqvrTs1IwDAKs%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEOj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDeQX%2FabR%2BeeNmKtn%2FnxgafWCI8LFpxpmhZfhGM6eM%2BzwIhAJexr6z5qVJHYxystwpzzGcllW58P9VqfpUpxFprxQJgKvwECLD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igy0aIfnAGqMGJpfRjUq0ASUu%2FGyMmi7RIGZ6tuotT75wuxv0XOzhBLrHzyWBaGlbK65m73fqN9HJlvdkSaG%2FV%2Bg3g0f4UnPCEFZ14G2%2BkUwS9QFRunPU4k%2Fm6h2YNJbtxITLgtegByrhgSX3Hy9YvwCcBT%2B1%2FqoTmaNR3jtd2wTqmuESOjA%2BooHaoGTquMPikE4IHS8%2FiYC9GY8%2Fq2wRUDSq%2FjqDtEf2DK5yAtYvqMhvBpr1AqvUzDI8miiUVdsfeV4VfX%2B4mBuJ9Ppw9vSs0qDu5EDV9bcM4iWQXE2vH3I3w7x%2FAGvujipPmNCX1cAfI2NVjedNB9u0GkurCdkSbdiTyk4u%2FKevBpzxybztQGXGW2kiNn9Mkk2WDZXg0T%2Bs0ji6Umwyix1ERxakh9OgTe%2F2ateeIO%2Bk9iM037JIRSKvVBNeyBzsTXCCL2rXtrqc9MhdmCaCAgpdBmObBwJQArvnLz4ym2cAqLba9zQUFvw%2B4jIxEpVnLpl6S7UsXI4j95IZDGhg7N%2F1MC5bWufUrFnWYi8lPZTnEbFjYbd5hH48zeXC23nzDbiERt1LJAO9e28N7cPOk8K31%2BK2lGbWDy90m8Z94P7YcPzBOK3XF5EYo3m61J5DPjIJWhO9P5SI%2Fj8rD9jhhy75rBNlHpthzNJohqnAzZudsTIVjO13tkS2m3xa4cgAhdOwiiOR7N%2BeA2FLcYd0p2fxp7XcPH12I66trPyCB59ulbHduhYIW0Q72XN1bHM%2BHw2DFtQ0PX%2FK0KzMfGU%2BOhq0OnXb69ICISTbwhTMZZFETguHqPvDAqAMNK1wtIGOpcBVp41ZslyTAs2CF5BTNaxyqbynM4%2Fx5%2Fr1I%2FYHfvSnvUdvlv8oSM7aQ7aVCFIY5DhDL%2BOIruQK44FbpwYd%2BCfkZFXR2JdOTT%2FQUfP1r1n6ZUjW49UqAHa1CDecKyeJnT6KVzovqcNgJE3pOcnXq5cmzgtGKISqjjDEphWqxdr5WjYzXPGXj4QUufXZ51NpYuuxYTKQIX%2BVw%3D%3D&amp;Expires=1783670949\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>C2 URL<\/td>\n<td><code>wss:\/\/wordpressws.com\/ws<\/code><\/td>\n<td>WebSocket endpoint used for malicious command-and-control communications and data transmission.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/anchor.host\/so-you-get-hit-with-a-credit-card-skimmer-what-now\/\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td><code>wordpressws.com<\/code><\/td>\n<td>Domain associated with the identified malicious WebSocket endpoint.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/anchor.host\/so-you-get-hit-with-a-credit-card-skimmer-what-now\/\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong>Prevent critical incidents and financial loss with stronger proactive defense.\u00a0<\/strong><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=feeds+landing&amp;utm_content=ti+feeds+sales&amp;utm_term=070726#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate a live threat feed from 15K SOC Teams<\/a><\/strong>.<\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/braintree-nuget-typosquat-uses-xor-obfuscated-c2\/\">Braintree NuGet Typosquat Uses XOR-Obfuscated C2 to Hide Environment Secret Theft<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/braintree-nuget-typosquat-uses-xor-obfuscated-c2\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Braintree NuGet Typosquat Uses XOR-Obfuscated C2 to Hide Environment Secret Theft A malicious NuGet package impersonating the Braintree .NET payment library has put production payment systems at risk. The package can collect live card details during transactions, then send the data away without alerting the application or its users. It also seeks credentials that could [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14200","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14200"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14200"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14200\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}