PROBABLYPWNED
MalwareJuly 9, 20264 min read

Fake Paysafe and Skrill SDKs on npm and PyPI Steal CI/CD Secrets

17 malicious packages masquerading as payment processor SDKs exfiltrate API keys, AWS credentials, and GitHub tokens from developer environments. Packages flagged within 6 minutes of upload.

James Rivera

Security researchers at Socket identified 17 malicious packages across npm and PyPI on July 7, all masquerading as legitimate SDKs for PaySafe, Skrill, and Neteller payment services. The packages harvest Paysafe API keys, AWS credentials, GitHub tokens, and npm tokens from developer machines and CI/CD pipelines, exfiltrating them to attacker-controlled infrastructure.

Socket's automated scanning flagged the packages within six minutes of publication. But in an ecosystem where developers routinely install dozens of dependencies without manual review, even brief availability windows create risk.

The Malicious Packages

The campaign deployed 13 packages to npm and 4 to PyPI, each published in versions 1.0.0 through 1.0.3:

npm packages: paysafe-checkout, paysafe-vault, neteller, skrill-payments, paysafe-js, paysafe-api, paysafe-node, paysafe-cards, paysafe-fraud, paysafe-kyc, skrill, skrill-sdk, paysafe-payments

PyPI packages: paysafe-kyc, paysafe-payments, paysafe-sdk, paysafe-api

The package names closely mirror what a developer might search for when integrating payment processing. The official Paysafe documentation doesn't ship packages with these exact names, but developers unfamiliar with the official integration approach might install the fakes.

Credential Harvesting Behavior

The npm and PyPI variants use different activation triggers. On npm, the stealer code activates when the fake SDK is actually called with a Paysafe API key present—meaning the theft occurs during integration testing or production use. The PyPI packages activate automatically on import, requiring no additional triggering.

Both variants target similar credential sets: Paysafe API keys, AWS access keys, GitHub tokens, npm tokens, hostname, username, and API usage metadata. The inclusion of npm tokens is particularly dangerous—compromised tokens could enable further supply chain attacks by pushing malicious updates to legitimate packages the developer maintains.

The C2 infrastructure uses ngrok-free.dev domains, which provide free, ephemeral tunnel endpoints that are difficult to preemptively block.

Sandbox Evasion

The packages include anti-analysis features. Before exfiltrating credentials, they check for common sandbox indicators: fewer than two CPU cores, or hostnames and usernames containing strings like "sandbox", "analyzer", "cuckoo", "virus", "malware", "vmware", or "vbox". If any check matches, the script terminates without reaching the exfiltration phase.

This evasion technique explains why automated security scanning might miss the malicious behavior during basic dynamic analysis. Sandboxes meeting these criteria see clean execution.

Why Payment SDKs

Paysafe, Skrill, and Neteller serve sectors with high transaction volumes and correspondingly valuable API credentials: e-commerce, online gaming, cryptocurrency exchanges, and forex trading platforms. Compromised Paysafe API keys could enable fraudulent transactions. AWS and GitHub credentials provide lateral movement into cloud infrastructure and source code repositories.

The ChocoPOC supply chain attack we covered yesterday targeted security researchers through fake exploit code. This campaign targets a different developer population—fintech integrators—using the same fundamental approach: poison the supply chain with plausible-looking packages.

Detection and Response

Organizations using any of the named packages should immediately:

  1. Rotate all potentially exposed credentials including Paysafe API keys, AWS access keys, GitHub tokens, and npm tokens
  2. Audit CI/CD logs for connections to ngrok-free.dev domains
  3. Review npm/PyPI dependency additions from the past week for unexpected packages
  4. Check package-lock.json and requirements.txt for the listed malicious package names
  5. Implement dependency scanning tools that check packages against known-malicious registries

The rapid flagging by Socket demonstrates the value of automated supply chain security scanning. But the six-minute publication-to-detection window still allowed potential installations. For organizations integrating payment processing, manual verification of SDK sources against official vendor documentation remains essential.

Broader Context

This campaign adds to a growing list of supply chain attacks targeting developer tooling. The combination of typosquatting, credential harvesting, and sandbox evasion represents a mature attack pattern. The attacker demonstrated "sufficient technical capability," according to Socket, though specific attribution remains unavailable.

For more on protecting development environments, see our cybersecurity tools covering supply chain security scanners and dependency auditing solutions.

Related Articles