Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Uses AI Scanning to Discover Vulnerabilities Pre-Exploit
July 9, 2026
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Home/Threats/Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
Threats

Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens

Key Takeaways A sophisticated malware campaign targeted developers using fake packages disguised as SDKs for popular payment platforms: Paysafe, Skrill, and Neteller. Seventeen malicious packages...

Emy Elsamnoudy
Emy Elsamnoudy
July 9, 2026 4 Min Read
3 0

Key Takeaways

  • A sophisticated malware campaign targeted developers using fake packages disguised as SDKs for popular payment platforms: Paysafe, Skrill, and Neteller.
  • Seventeen malicious packages were identified on npm and PyPI, designed to steal API keys, tokens, and other sensitive credentials.
  • The malware employed advanced evasion techniques, including per-file obfuscation and sandbox detection, to avoid discovery.
  • Compromised data, including AWS keys and GitHub tokens, was exfiltrated to a command and control server hidden behind ngrok.
  • Developers are urged to rotate exposed credentials and scan for the identified malicious packages.

Cybersecurity researchers have uncovered a coordinated malware operation that leveraged counterfeit developer packages, masquerading as legitimate tools for the widely used online payment services Paysafe, Skrill, and Neteller. The primary objective of this malicious campaign was to surreptitiously extract API keys, access tokens, and other critical credentials from developer environments. The stolen information was then transmitted to servers controlled by the attackers, posing a significant risk to financial infrastructures and payment processing systems.

Table Of Content

  • Key Takeaways
  • Hackers Use Fake Paysafe, Skrill, and Neteller Packages
  • Evasion Tactics and Command Infrastructure
  • What You Should Do
  • Indicators of Compromise (IoCs)

The campaign involved a total of seventeen malicious packages distributed across the npm and PyPI repositories. These packages were published in close succession, indicating a deliberate and concentrated effort by the threat actors. Each package was meticulously crafted to imitate a genuine software development kit (SDK), complete with deceptive function names and API structures that mirrored those of the authentic Paysafe, Skrill, and Neteller libraries. Developers who inadvertently installed these compromised packages during the creation of payment integrations unwittingly exposed their systems to silent credential theft, as detailed in a comprehensive report.

The security firm Socket.dev was instrumental in identifying this campaign. Socket said in a report shared with Cyber Security News (CSN) that its automated scanning systems flagged the suspicious packages within minutes of their publication. This rapid detection highlights the effectiveness of modern security tools in combating such threats. Despite this swift identification, the packages remained active long enough to present a tangible risk to developers.

The attackers demonstrated a high level of sophistication in their approach, utilizing distinct obfuscation keys for almost every file within the packages. This technique ensured that no two packages shared identical signatures, complicating detection efforts by traditional antivirus software that relies on pattern matching. Furthermore, the campaign incorporated sandbox evasion tactics, indicating that the threat actor possesses an in-depth understanding of the open-source ecosystem and its defensive mechanisms.

Hackers Use Fake Paysafe, Skrill, and Neteller Packages

Each malicious npm package, such as paysafe-node, was designed to export a class that appeared to be a genuine payment client. This fake client would read environment variables like PAYSAFE_API_KEY and log every request, appearing to function normally. However, instead of communicating with actual Paysafe endpoints, the embedded malicious code would return a fabricated success message. Simultaneously, a concealed function would collect the developer’s hostname, username, current working directory, and any environment variables containing keywords such as KEY, SECRET, TOKEN, PASS, AUTH, or API.

This broad sweep meant the malware was capable of pilfering a wide array of sensitive credentials beyond just Paysafe information. It could snatch AWS secret keys, GitHub tokens, npm publishing tokens, and other critical values present in the compromised environment. The harvested data was then compiled into a JSON payload and securely transmitted to a remote server over HTTPS, all while the deceptive SDK maintained the illusion of normal operation.

The PyPI versions of these malicious packages exhibited similar behavior. A key difference was their activation mechanism: they would automatically initiate data theft upon being imported, rather than waiting for an API key to be explicitly set. This characteristic made the Python packages potentially more hazardous, as they could trigger credential exfiltration even in development or testing environments where live credentials were not expected to be present.

Evasion Tactics and Command Infrastructure

To circumvent detection by automated analysis tools, the malware incorporated checks for common indicators of a sandbox or virtual machine environment before attempting to exfiltrate stolen data. It would examine the number of available CPU cores and scrutinize the hostname and username for terms like “sandbox,” “analyzer,” “cuckoo,” or “vmware.” If any of these indicators were present, the malware would silently abort its exfiltration process, thus avoiding detection.

The command and control (C2) address used by the attackers was cleverly concealed through multiple layers of encoding. This required a sequence of decoding operations, specifically an XOR operation, a character shift, and a string reversal, to reveal the true domain. This domain was hosted on ngrok, a legitimate tunneling service frequently abused by cybercriminals to obscure the actual location of their C2 servers.

Further analysis by researchers revealed that the IP address linked to this ngrok hostname had previously been associated with C2 activities for other known credential-stealing malware. This finding suggests a potential overlap in infrastructure with established cybercrime groups, raising the possibility that this campaign is part of a larger, reusable toolkit rather than an isolated effort.

What You Should Do

  • Immediately rotate all API keys, tokens, and other sensitive credentials that may have been exposed on systems where these packages were installed.
  • Scan your project’s dependency trees for any of the identified malicious package names.
  • Block the known malicious package names at your organization’s registry proxy level to prevent future installations.
  • Audit build logs and network traffic for outbound connections to ngrok-free.dev domains.
  • Implement robust software supply chain security practices, including vetting third-party packages and using automated tools to scan for malicious code.

Indicators of Compromise (IoCs)

Type Indicator Description
Domain caliber-spinner-finishing[.]ngrok-free[.]dev Command and control domain used for exfiltrating stolen credentials
URL hxxps://caliber-spinner-finishing[.]ngrok-free[.]dev:443/ Endpoint used to receive exfiltrated JSON payloads via HTTPS POST
Package name npm/paysafe-checkout Malicious npm package typosquatting the Paysafe SDK <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/6f3

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Windows Update Installs LG Monitor App Pushing McAfee Ads

Next Post

Critical HP Linux Printing Bug (CVE-2023-1704) Lets Attackers Run Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical HP Linux Printing Bug (CVE-2023-1704) Lets Attackers Run Code
July 9, 2026
Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
July 9, 2026
Windows Update Installs LG Monitor App Pushing McAfee Ads
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us