Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
Key Takeaways A sophisticated malware campaign targeted developers using fake packages disguised as SDKs for popular payment platforms: Paysafe, Skrill, and Neteller. Seventeen malicious packages...
Key Takeaways
- A sophisticated malware campaign targeted developers using fake packages disguised as SDKs for popular payment platforms: Paysafe, Skrill, and Neteller.
- Seventeen malicious packages were identified on npm and PyPI, designed to steal API keys, tokens, and other sensitive credentials.
- The malware employed advanced evasion techniques, including per-file obfuscation and sandbox detection, to avoid discovery.
- Compromised data, including AWS keys and GitHub tokens, was exfiltrated to a command and control server hidden behind ngrok.
- Developers are urged to rotate exposed credentials and scan for the identified malicious packages.
Cybersecurity researchers have uncovered a coordinated malware operation that leveraged counterfeit developer packages, masquerading as legitimate tools for the widely used online payment services Paysafe, Skrill, and Neteller. The primary objective of this malicious campaign was to surreptitiously extract API keys, access tokens, and other critical credentials from developer environments. The stolen information was then transmitted to servers controlled by the attackers, posing a significant risk to financial infrastructures and payment processing systems.
Table Of Content
The campaign involved a total of seventeen malicious packages distributed across the npm and PyPI repositories. These packages were published in close succession, indicating a deliberate and concentrated effort by the threat actors. Each package was meticulously crafted to imitate a genuine software development kit (SDK), complete with deceptive function names and API structures that mirrored those of the authentic Paysafe, Skrill, and Neteller libraries. Developers who inadvertently installed these compromised packages during the creation of payment integrations unwittingly exposed their systems to silent credential theft, as detailed in a comprehensive report.
The security firm Socket.dev was instrumental in identifying this campaign. Socket said in a report shared with Cyber Security News (CSN) that its automated scanning systems flagged the suspicious packages within minutes of their publication. This rapid detection highlights the effectiveness of modern security tools in combating such threats. Despite this swift identification, the packages remained active long enough to present a tangible risk to developers.
The attackers demonstrated a high level of sophistication in their approach, utilizing distinct obfuscation keys for almost every file within the packages. This technique ensured that no two packages shared identical signatures, complicating detection efforts by traditional antivirus software that relies on pattern matching. Furthermore, the campaign incorporated sandbox evasion tactics, indicating that the threat actor possesses an in-depth understanding of the open-source ecosystem and its defensive mechanisms.
Hackers Use Fake Paysafe, Skrill, and Neteller Packages
Each malicious npm package, such as paysafe-node, was designed to export a class that appeared to be a genuine payment client. This fake client would read environment variables like PAYSAFE_API_KEY and log every request, appearing to function normally. However, instead of communicating with actual Paysafe endpoints, the embedded malicious code would return a fabricated success message. Simultaneously, a concealed function would collect the developer’s hostname, username, current working directory, and any environment variables containing keywords such as KEY, SECRET, TOKEN, PASS, AUTH, or API.
This broad sweep meant the malware was capable of pilfering a wide array of sensitive credentials beyond just Paysafe information. It could snatch AWS secret keys, GitHub tokens, npm publishing tokens, and other critical values present in the compromised environment. The harvested data was then compiled into a JSON payload and securely transmitted to a remote server over HTTPS, all while the deceptive SDK maintained the illusion of normal operation.
The PyPI versions of these malicious packages exhibited similar behavior. A key difference was their activation mechanism: they would automatically initiate data theft upon being imported, rather than waiting for an API key to be explicitly set. This characteristic made the Python packages potentially more hazardous, as they could trigger credential exfiltration even in development or testing environments where live credentials were not expected to be present.
Evasion Tactics and Command Infrastructure
To circumvent detection by automated analysis tools, the malware incorporated checks for common indicators of a sandbox or virtual machine environment before attempting to exfiltrate stolen data. It would examine the number of available CPU cores and scrutinize the hostname and username for terms like “sandbox,” “analyzer,” “cuckoo,” or “vmware.” If any of these indicators were present, the malware would silently abort its exfiltration process, thus avoiding detection.
The command and control (C2) address used by the attackers was cleverly concealed through multiple layers of encoding. This required a sequence of decoding operations, specifically an XOR operation, a character shift, and a string reversal, to reveal the true domain. This domain was hosted on ngrok, a legitimate tunneling service frequently abused by cybercriminals to obscure the actual location of their C2 servers.
Further analysis by researchers revealed that the IP address linked to this ngrok hostname had previously been associated with C2 activities for other known credential-stealing malware. This finding suggests a potential overlap in infrastructure with established cybercrime groups, raising the possibility that this campaign is part of a larger, reusable toolkit rather than an isolated effort.
What You Should Do
- Immediately rotate all API keys, tokens, and other sensitive credentials that may have been exposed on systems where these packages were installed.
- Scan your project’s dependency trees for any of the identified malicious package names.
- Block the known malicious package names at your organization’s registry proxy level to prevent future installations.
- Audit build logs and network traffic for outbound connections to
ngrok-free.devdomains. - Implement robust software supply chain security practices, including vetting third-party packages and using automated tools to scan for malicious code.



No Comment! Be the first one.