Overview
Security researchers have uncovered a malware campaign targeting developers and users of Paysafe, Skrill, and Neteller payment applications. The attackers published 17 malicious packages across Node Package Manager (npm) and the Python Package Index (PyPI), masquerading as legitimate SDKs but designed to steal credentials and access tokens.
How the Attack Works
The malicious packages mimic official payment SDKs, exposing expected APIs but returning fake success responses instead of communicating with real backend services.
Key details:
- NPM packages: 13 fake modules, each with four malicious versions (1.0.0–1.0.3).
- PyPI packages: 4 fake modules, each with one malicious version (1.0.0).
- Activation logic:
- NPM packages trigger exfiltration only if a Paysafe API key is present.
- PyPI packages activate automatically upon initialization, requiring no API key.
The malware searches compromised environments for tokens, passwords, API keys, AWS credentials, GitHub tokens, npm tokens, hostnames, usernames, and metadata.
Anti‑Analysis Features
The malicious code includes basic anti‑analysis checks to evade detection:
- Stops execution if fewer than 2 CPU cores are detected.
- Halts if the hostname or username suggests a virtualized environment.
These techniques indicate the attacker is technically capable and may return with more sophisticated campaigns.
Why It Matters
Paysafe, Skrill, and Neteller are widely used in:
- E‑commerce and online marketplaces.
- Gaming platforms and travel businesses.
- Cryptocurrency exchanges and Forex trading platforms.
By targeting SDKs, attackers infiltrate the developer supply chain, compromising apps and websites at scale. This makes the campaign especially dangerous for financial services and SaaS providers.
Recommended Actions
Developers and organizations should act immediately:
- Rotate all secrets on any machine that imported or executed these packages.
- Search dependency trees for the listed package names.
- Block requests for these packages at the registry proxy level.
- Audit CI logs for
PAYSAFE_API_KEYin combination with suspicious package names. - Monitor for suspicious activity across developer environments.
Expert in the Cloud Insight
This incident underscores the growing risk of supply chain attacks in open‑source ecosystems. Attackers exploit developer trust by publishing malicious packages that look legitimate, then harvest sensitive credentials at scale.
For enterprises, the lesson is clear: dependency hygiene, secret rotation, and proactive monitoring must be standard practice. Supply chain security is no longer optional — it’s a frontline defense against credential theft and financial fraud.
Leave a Reply