Researchers at application security firm Socket have identified a coordinated supply-chain campaign targeting developers who integrate Paysafe, Skrill, and Neteller payment services. At least 17 malicious packages were published simultaneously across both npm and PyPI, each designed to steal credentials and access tokens and forward them to a command-and-control server hosted on Amazon Web Services.
Package List and Distribution
The campaign spans 13 npm packages and four PyPI packages. The npm packages each published four versioned releases (1.0.0 through 1.0.3), while the PyPI packages published a single version, 1.0.0. The full list of identified packages includes:
- npm: paysafe-checkout, paysafe-vault, neteller, skrill-payments, paysafe-js, paysafe-api, paysafe-node, paysafe-cards, paysafe-fraud, paysafe-kyc, skrill, skrill-sdk, paysafe-payments
- PyPI: paysafe-kyc, paysafe-payments, paysafe-sdk, paysafe-api
All 17 packages present functional-looking APIs that return fake success responses instead of communicating with Paysafe’s actual backend, making detection harder during casual code review or testing.
What Gets Stolen
The embedded malicious code searches the execution environment for secrets including Paysafe API keys, AWS credentials, GitHub tokens, npm tokens, hostnames, usernames, and API usage metadata. The npm and PyPI variants differ slightly in their activation logic: the npm packages trigger data exfiltration only when a Paysafe API key is present and the fake SDK is called, whereas the PyPI packages launch the theft routine automatically on initialization regardless of whether such a key exists.
Anti-Analysis Behavior
The malware incorporates basic sandbox-evasion checks, halting execution if the host system reports fewer than two CPU cores or if the hostname or username contains strings associated with virtualized or analysis environments. Socket notes this indicates a sufficiently technical threat actor who may reappear with more sophisticated infrastructure.
Remediation Guidance
Socket recommends the following steps for any developer or organization that may have installed the listed packages:
- Immediately rotate all secrets on any machine that imported or executed one of the packages.
- Audit dependency trees for the identified package names and block them at the registry proxy level.
- Review CI/CD system logs for occurrences of PAYSAFE_API_KEY in combination with any of the listed package names.
The researchers also highlight that the attacker’s ability to operate across multiple package ecosystems simultaneously increases the difficulty of detection when monitoring is limited to a single registry. No attribution has been established at this time.
