PyPI, Neteller, Skrill and Paysafe: Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials

PyPI, Neteller, Skrill and Paysafe: Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials

Malicious npm and PyPI Packages Target Payment Platforms with Stealer Malware

A recent cyberattack campaign leveraged malicious packages on npm and PyPI to distribute stealer malware targeting developers and users of Paysafe, Skrill, and Neteller payment applications. The threat actor published 17 fraudulent packages 13 on npm and 4 on PyPI designed to exfiltrate credentials, access tokens, and other sensitive data to a command-and-control (C2) server hosted on AWS.

The targeted platforms are widely used in e-commerce, online gaming, travel, financial services, cryptocurrency exchanges, and Forex trading. The malicious packages mimicked legitimate Paysafe SDKs, exposing fake APIs that returned false success responses while covertly harvesting data. Among the stolen information were Paysafe API keys, AWS credentials, GitHub and npm tokens, hostnames, usernames, and API usage metadata.

The npm packages (e.g., paysafe-checkout, skrill-payments) required a Paysafe API key to trigger data exfiltration, while the PyPI packages (e.g., paysafe-sdk, paysafe-api) executed the theft routine automatically upon initialization. The malware also included basic anti-analysis checks, halting execution if it detected virtualized environments or systems with fewer than two CPU cores.

Security researchers at Socket identified the campaign but noted that the threat actor’s identity remains unknown. The attack’s cross-ecosystem targeting (npm and PyPI) suggests a technically capable adversary, raising concerns about future, more sophisticated operations. Organizations using the affected packages were advised to rotate all exposed secrets and audit dependency trees for signs of compromise.

Source: https://www.bleepingcomputer.com/news/security/fake-paysafe-skrill-sdks-on-npm-and-pypi-steal-credentials/

PyPI TPRM report: https://www.rankiteo.com/company/pypi

Neteller TPRM report: https://www.rankiteo.com/company/bmexchangeservices

Skrill TPRM report: https://www.rankiteo.com/company/paysafe

Paysafe TPRM report: https://www.rankiteo.com/company/paysafegroup

"id": "bmepyppaypay1783542293",
"linkid": "bmexchangeservices, pypi, paysafe, paysafegroup",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Financial Services, E-commerce, Online '
                                    'Gaming, Travel, Cryptocurrency, Forex '
                                    'Trading',
                        'name': 'Paysafe',
                        'type': 'Payment Platform'},
                       {'industry': 'Financial Services, E-commerce, Online '
                                    'Gaming, Travel, Cryptocurrency, Forex '
                                    'Trading',
                        'name': 'Skrill',
                        'type': 'Payment Platform'},
                       {'industry': 'Financial Services, E-commerce, Online '
                                    'Gaming, Travel, Cryptocurrency, Forex '
                                    'Trading',
                        'name': 'Neteller',
                        'type': 'Payment Platform'}],
 'attack_vector': 'Malicious npm/PyPI packages',
 'customer_advisories': 'Organizations using affected packages advised to '
                        'rotate secrets and audit dependencies.',
 'data_breach': {'data_exfiltration': 'Yes (to AWS C2 server)',
                 'personally_identifiable_information': 'Hostnames, usernames, '
                                                        'API usage metadata',
                 'sensitivity_of_data': 'High (PII, financial credentials, API '
                                        'keys)',
                 'type_of_data_compromised': ['Credentials',
                                              'API keys',
                                              'Access tokens',
                                              'Metadata']},
 'description': 'A recent cyberattack campaign leveraged malicious packages on '
                'npm and PyPI to distribute stealer malware targeting '
                'developers and users of Paysafe, Skrill, and Neteller payment '
                'applications. The threat actor published 17 fraudulent '
                'packages (13 on npm and 4 on PyPI) designed to exfiltrate '
                'credentials, access tokens, and other sensitive data to a '
                'command-and-control (C2) server hosted on AWS. The malicious '
                'packages mimicked legitimate Paysafe SDKs, exposing fake APIs '
                'that returned false success responses while covertly '
                'harvesting data such as Paysafe API keys, AWS credentials, '
                'GitHub and npm tokens, hostnames, usernames, and API usage '
                'metadata.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'Paysafe, Skrill, and Neteller',
            'data_compromised': 'Paysafe API keys, AWS credentials, GitHub and '
                                'npm tokens, hostnames, usernames, API usage '
                                'metadata',
            'identity_theft_risk': 'High (exfiltration of PII and credentials)',
            'operational_impact': 'Potential unauthorized access to payment '
                                  'systems, credential misuse',
            'payment_information_risk': 'High (exposure of payment API keys '
                                        'and tokens)',
            'systems_affected': 'Developer environments, payment platforms '
                                '(Paysafe, Skrill, Neteller)'},
 'initial_access_broker': {'entry_point': 'Malicious npm/PyPI packages',
                           'high_value_targets': 'Developers and users of '
                                                 'Paysafe, Skrill, and '
                                                 'Neteller'},
 'investigation_status': 'Ongoing (threat actor identity unknown)',
 'lessons_learned': 'Need for stricter vetting of open-source packages, '
                    'enhanced dependency monitoring, and rapid credential '
                    'rotation post-compromise.',
 'motivation': 'Data theft, credential harvesting',
 'post_incident_analysis': {'corrective_actions': 'Enhanced package scanning, '
                                                  'credential rotation, '
                                                  'dependency audits',
                            'root_causes': 'Lack of package vetting, '
                                           'dependency confusion, '
                                           'typosquatting'},
 'recommendations': ['Rotate all exposed secrets (API keys, tokens, '
                     'credentials).',
                     'Audit dependency trees for signs of compromise.',
                     'Implement automated scanning for malicious packages in '
                     'development pipelines.',
                     'Enforce multi-factor authentication for package '
                     'registries.',
                     'Monitor for unusual data exfiltration patterns.'],
 'references': [{'source': 'Socket (security researchers)'}],
 'response': {'containment_measures': 'Rotation of exposed secrets, dependency '
                                      'tree audits',
              'remediation_measures': 'Removal of malicious packages, '
                                      'credential rotation',
              'third_party_assistance': 'Socket (security researchers)'},
 'title': 'Malicious npm and PyPI Packages Target Payment Platforms with '
          'Stealer Malware',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Dependency confusion / Typosquatting'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.