
Malicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) delivered stealer malware to developers and users of Paysafe, Skrill, and Neteller payment applications.
The threat actor published at least 17 malicious packages simultaneously, each tasked to exfiltrate credentials and access tokens to a command-and-control server hosted on Amazon Web Services (AWS).
All three payment platforms are popular, with Paysafe being mostly used by e-commerce sites and online marketplaces, gaming platforms, travel businesses, and financial services or software-as-a-service (SaaS) providers.
Skrill and Neteller are digital wallets and money transfer services used in online betting, cryptocurrency exchanges, and on Forex trading platforms.
Software developers working on such platforms integrate Paysafe’s SDKs into apps and websites to implement a secure payments and funds management system.
According to application security company Socket, these developers are the targets of the latest campaign via the following packages:
- npm/paysafe-checkout
- npm/paysafe-vault
- npm/neteller
- npm/skrill-payments
- npm/paysafe-js
- npm/paysafe-api
- npm/paysafe-node
- npm/paysafe-cards
- npm/paysafe-fraud
- npm/paysafe-kyc
- npm/skrill
- npm/skrill-sdk
- npm/paysafe-payments
- pypi/paysafe-kyc
- pypi/paysafe-payments
- pypi/paysafe-sdk
- pypi/paysafe-api
The researchers say that the 13 npm packages published four malicious versions, from 1.0.0 to 1.0.3, whereas the PyPI packages published only one malicious version, 1.0.0.
All 17 packages pretend to be legitimate payment SDKs, even exposing the expected APIs, but instead return fake success responses rather than communicate with Paysafe’s backend services.
The real purpose is credential theft, as the embedded malicious code searches compromised environments for secrets such as tokens, passwords, and API keys.
According to Socket, the exfiltrated data includes Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostname, username, and metadata about API usage.
Data theft function on npm (left) and on PyPI (right)Source: Socket
The data theft module in the npm packages attempts exfiltration only if a Paysafe API key is present and activates when the fake SDK is called.
The PyPI packages automatically activate the data theft routine upon initialization and do not require a Paysafe API key to be present at all.
Socket’s analysis of the malware reveals that it includes some rather basic anti-analysis features, stopping execution if it detects fewer than 2 CPU cores or if the hostname or username contains cues indicating a virtualized environment.
Anti-analysis checksSource: Socket
It is unclear who is behind this campaign, but Socket's report highlights some attributes suggesting that the threat actor is sufficiently technical and may return in a more organized way.
The researchers warn that the attacker's ability to pivot between ecosystems may make it more difficult to defend if there is only one ecosystem of visibility.
If any of the listed packages were installed, developers are recommended to immediately "rotate all secrets on any machine that imported or executed this package."
The researchers also advise searching dependency trees for the package names used in the campaign and deny any requests for them at the registry proxy level.
It is also recommended to look in the logs of Continuous Integration (CI) systems for PAYSAFE_API_KEY in combination with any of the listed package names.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.











English (US) ·