Fake Paysafe & Skrill SDKs Steal Credentials

Overview

Security researchers have uncovered a malware campaign targeting developers and users of Paysafe, Skrill, and Neteller payment applications. The attackers published 17 malicious packages across Node Package Manager (npm) and the Python Package Index (PyPI), masquerading as legitimate SDKs but designed to steal credentials and access tokens.

How the Attack Works

The malicious packages mimic official payment SDKs, exposing expected APIs but returning fake success responses instead of communicating with real backend services.

Key details:

  • NPM packages: 13 fake modules, each with four malicious versions (1.0.0–1.0.3).
  • PyPI packages: 4 fake modules, each with one malicious version (1.0.0).
  • Activation logic:
    • NPM packages trigger exfiltration only if a Paysafe API key is present.
    • PyPI packages activate automatically upon initialization, requiring no API key.

The malware searches compromised environments for tokens, passwords, API keys, AWS credentials, GitHub tokens, npm tokens, hostnames, usernames, and metadata.

Anti‑Analysis Features

The malicious code includes basic anti‑analysis checks to evade detection:

  • Stops execution if fewer than 2 CPU cores are detected.
  • Halts if the hostname or username suggests a virtualized environment.

These techniques indicate the attacker is technically capable and may return with more sophisticated campaigns.

Why It Matters

Paysafe, Skrill, and Neteller are widely used in:

  • E‑commerce and online marketplaces.
  • Gaming platforms and travel businesses.
  • Cryptocurrency exchanges and Forex trading platforms.

By targeting SDKs, attackers infiltrate the developer supply chain, compromising apps and websites at scale. This makes the campaign especially dangerous for financial services and SaaS providers.

Recommended Actions

Developers and organizations should act immediately:

  • Rotate all secrets on any machine that imported or executed these packages.
  • Search dependency trees for the listed package names.
  • Block requests for these packages at the registry proxy level.
  • Audit CI logs for PAYSAFE_API_KEY in combination with suspicious package names.
  • Monitor for suspicious activity across developer environments.

Expert in the Cloud Insight

This incident underscores the growing risk of supply chain attacks in open‑source ecosystems. Attackers exploit developer trust by publishing malicious packages that look legitimate, then harvest sensitive credentials at scale.

For enterprises, the lesson is clear: dependency hygiene, secret rotation, and proactive monitoring must be standard practice. Supply chain security is no longer optional — it’s a frontline defense against credential theft and financial fraud.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.