Skip to content
Tech News
← Back to articles

Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials

read original more articles

Malicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) delivered stealer malware to developers and users of Paysafe, Skrill, and Neteller payment applications.

The threat actor published at least 17 malicious packages simultaneously, each tasked to exfiltrate credentials and access tokens to a command-and-control server hosted on Amazon Web Services (AWS).

All three payment platforms are popular, with Paysafe being mostly used by e-commerce sites and online marketplaces, gaming platforms, travel businesses, and financial services or software-as-a-service (SaaS) providers.

Skrill and Neteller are digital wallets and money transfer services used in online betting, cryptocurrency exchanges, and on Forex trading platforms.

Software developers working on such platforms integrate Paysafe’s SDKs into apps and websites to implement a secure payments and funds management system.

According to application security company Socket, these developers are the targets of the latest campaign via the following packages:

npm/paysafe-checkout npm/paysafe-vault npm/neteller npm/skrill-payments npm/paysafe-js npm/paysafe-api npm/paysafe-node npm/paysafe-cards npm/paysafe-fraud npm/paysafe-kyc npm/skrill npm/skrill-sdk npm/paysafe-payments pypi/paysafe-kyc pypi/paysafe-payments pypi/paysafe-sdk pypi/paysafe-api

The researchers say that the 13 npm packages published four malicious versions, from 1.0.0 to 1.0.3, whereas the PyPI packages published only one malicious version, 1.0.0.

All 17 packages pretend to be legitimate payment SDKs, even exposing the expected APIs, but instead return fake success responses rather than communicate with Paysafe’s backend services.

The real purpose is credential theft, as the embedded malicious code searches compromised environments for secrets such as tokens, passwords, and API keys.

... continue reading