Malicious Payment SDK Packages Target Developers on NPM and PyPI

Seventeen counterfeit SDK packages on NPM and PyPI impersonate Paysafe, Skrill, and Neteller libraries to steal credentials from developer environments.

CSBadmin
2 Min Read

The Attack on Package Registries

A threat actor has published 17 counterfeit packages on the NPM and PyPI repositories, designed to impersonate official software development kits (SDKs) for Paysafe, Skrill, and Neteller payment platforms. These packages were uploaded simultaneously and contain embedded stealer malware. The malicious code seeks to exfiltrate credentials, API keys, and access tokens from compromised development environments, sending them to a command and control server hosted on Amazon Web Services.

Mechanics and Impact

The counterfeit packages mimic legitimate SDKs by exposing expected APIs, but they return fake success responses instead of communicating with Paysafe’s backend services. On NPM, the data theft routine activates only when a Paysafe API key is detected within the environment. In contrast, the PyPI packages execute the theft routine automatically upon initialization, without requiring a specific API key. The exfiltrated data includes Paysafe API keys, AWS keys, GitHub tokens, and NPM tokens. The malware includes basic anti-analysis features that halt execution if fewer than two CPU cores are detected or if the hostname indicates a virtualized environment. Developers who have installed any of these packages are advised to immediately rotate all secrets on affected machines and to review dependency trees and CI system logs for signs of compromise.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.