Security researchers have uncovered a supply chain attack involving fake Paysafe SDKs published on both npm and PyPI. The malicious packages impersonate legitimate software development kits for Paysafe, Skrill, and Neteller while secretly stealing credentials, API keys, and access tokens from developers.

The campaign targeted developers building payment integrations and highlights the continued threat posed by malicious open-source packages.

Malicious Packages Target Payment Developers

Application security firm Socket identified 17 malicious packages distributed across the Node Package Manager (npm) and the Python Package Index (PyPI).

The attacker published packages that appeared to offer official SDKs for Paysafe and its related payment platforms, including Skrill and Neteller.

The affected packages include:

npm

  • paysafe-checkout
  • paysafe-vault
  • neteller
  • skrill-payments
  • paysafe-js
  • paysafe-api
  • paysafe-node
  • paysafe-cards
  • paysafe-fraud
  • paysafe-kyc
  • skrill
  • skrill-sdk
  • paysafe-payments

PyPI

  • paysafe-kyc
  • paysafe-payments
  • paysafe-sdk
  • paysafe-api

According to Socket, the attacker released four malicious versions of the npm packages, ranging from 1.0.0 to 1.0.3, while each PyPI package contained a single malicious 1.0.0 release.

Fake Paysafe SDKs Returned False Success Responses

The fake Paysafe SDKs closely imitated legitimate payment libraries by exposing the expected APIs.

Instead of communicating with Paysafe’s backend infrastructure, however, the packages simply returned fake success responses, making the software appear to function normally while executing hidden malicious code.

Their primary purpose was to steal sensitive credentials from infected systems.

Malware Stole API Keys, Passwords, and Tokens

The embedded malware searched compromised environments for valuable secrets before sending the information to a command-and-control server hosted on Amazon Web Services (AWS).

Socket says the stolen information could include:

  • Paysafe API keys
  • AWS access keys
  • GitHub tokens
  • npm authentication tokens
  • Passwords
  • Hostnames
  • Usernames
  • API usage metadata

The npm malware only attempted to exfiltrate data when it detected a Paysafe API key and activated after an application called the fake SDK.

The PyPI versions behaved differently. They automatically launched the credential theft routine during initialization and did not require a Paysafe API key to begin stealing data.

Malware Included Basic Anti-Analysis Features

The attackers also added simple anti-analysis techniques to avoid detection during security testing.

The malware stopped running if it detected fewer than two CPU cores or identified usernames or hostnames commonly associated with virtual machines or sandbox environments.

Although the techniques were relatively basic, they demonstrate an effort to make the malicious packages more difficult for researchers to analyze.

Attackers Could Expand to Other Ecosystems

Socket says it has not identified the group responsible for the campaign.

However, the researchers believe the attacker possesses sufficient technical skills to launch similar operations in the future.

Because the campaign targeted both npm and PyPI simultaneously, defenders may struggle if they only monitor one software ecosystem for malicious packages.

Developers Should Rotate Credentials Immediately

Anyone who installed one of the fake Paysafe SDKs should assume their credentials have been compromised.

Socket recommends that affected developers:

  • Rotate all API keys, passwords, and access tokens immediately.
  • Search dependency trees for every malicious package name.
  • Block the packages at registry proxy level.
  • Review Continuous Integration (CI) logs for references to PAYSAFE_API_KEY alongside any of the malicious package names.

The incident serves as another reminder that software supply chain attacks continue to evolve. Even packages that closely resemble trusted SDKs can introduce serious security risks if developers install them without verifying their authenticity.


0 responses to “Fake Paysafe SDKs on npm and PyPI Steal Developer Credentials”