Malicious Packages on NPM and PyPI Steal Credentials, Target Payment SDK Users
A recent campaign has seen malicious packages masquerading as legitimate payment SDKs for **Paysafe**, **Skrill**, and **Neteller** infiltrate both the Node Package Manager (npm) and the Python Package Index (PyPI). These packages are designed to exfiltrate sensitive developer credentials and access tokens, posing a significant supply chain risk.
Threat actors have unleashed at least 17 malicious packages across **npm** and **PyPI**, specifically engineered to target developers integrating popular payment platforms like **Paysafe**, **Skrill**, and **Neteller**.
These packages, disguised as Software Development Kits (SDKs), are designed to steal credentials and access tokens, sending them to a command-and-control server hosted on **Amazon Web Services (AWS)**.
**Paysafe** is a widely used payment gateway for e-commerce, gaming, travel, and financial services. **Skrill** and **Neteller** are prominent digital wallets favored in online betting, cryptocurrency exchanges, and Forex trading.
## The Malicious Packages
According to application security firm **Socket**, the campaign targets developers through the following packages:
* npm/paysafe-checkout
* npm/paysafe-vault
* npm/neteller
* npm/skrill-payments
* npm/paysafe-js
* npm/paysafe-api
* npm/paysafe-node
* npm/paysafe-cards
* npm/paysafe-fraud
* npm/paysafe-kyc
* npm/skrill
* npm/skrill-sdk
* npm/paysafe-payments
* pypi/paysafe-kyc
* pypi/paysafe-payments
* pypi/paysafe-sdk
* pypi/paysafe-api
The 13 **npm** packages were found in four malicious versions (1.0.0 to 1.0.3), while the **PyPI** packages appeared in a single malicious version (1.0.0).
## How the Theft Occurs
These seemingly legitimate SDKs expose the expected Application Programming Interfaces (APIs) but return fake success responses instead of communicating with **Paysafe's** backend services. Their true purpose is credential theft.

The embedded malicious code actively searches compromised environments for critical secrets, including tokens, passwords, and API keys. **Socket's** analysis revealed that exfiltrated data includes **Paysafe** API keys, **AWS** keys, **GitHub** tokens, **npm** tokens, hostnames, usernames, and API usage metadata.
For the **npm** packages, the data theft module is activated when the fake SDK is called, and only attempts exfiltration if a **Paysafe** API key is present. In contrast, the **PyPI** packages automatically initiate the data theft routine upon initialization, regardless of whether a **Paysafe** API key is detected.
## Anti-Analysis Measures
The malware incorporates basic anti-analysis features. It halts execution if it detects fewer than two CPU cores or if the hostname or username suggests a virtualized environment.

## Recommendations for Developers
While the identity of the threat actor remains unknown, **Socket's** report suggests a technically proficient adversary capable of pivoting between ecosystems. This adaptability could complicate future defense efforts if visibility is limited to a single ecosystem.
Developers who may have installed any of the listed packages are strongly advised to:
* **Immediately rotate all secrets** on any machine that imported or executed these packages.
* **Search dependency trees** for the campaign's package names and deny any requests for them at the registry proxy level.
* **Review Continuous Integration (CI) system logs** for `PAYSAFE_API_KEY` in combination with any of the malicious package names.