Malicious Developer Packages Mimic Paysafe, Skrill, and Neteller to Steal API Credentials

Security researchers have uncovered a coordinated malware campaign involving fake developer packages that impersonate official tools for Paysafe, Skrill, and Neteller—three widely used online payment platforms. These malicious packages are designed to covertly harvest API keys, tokens, and other sensitive credentials from developers’ systems, posing significant risks to financial infrastructure and payment processes.

The campaign comprises seventeen malicious packages distributed across npm and PyPI repositories, all published within a short timeframe. Each package is crafted to resemble legitimate software development kits (SDKs), complete with realistic function names and API structures that mimic the authentic libraries of Paysafe, Skrill, and Neteller. Developers who inadvertently integrate these packages into their projects expose their systems to silent credential theft.

Upon installation, these counterfeit packages do not perform actual payment processing. Instead, they return fake success responses to avoid raising suspicion while simultaneously exfiltrating sensitive data. The stolen information includes API keys, tokens, and other credentials, which are transmitted to attacker-controlled servers.

Researchers from Socket.dev identified this campaign, noting that their automated scanner flagged the packages within minutes of their publication. Despite rapid detection, the packages remained accessible long enough to pose a real threat to developers. The attackers employed sophisticated techniques, such as using different obfuscation keys for nearly every file, making it challenging for antivirus tools to detect the malicious code through simple pattern matching. Additionally, the malware incorporated sandbox evasion tactics, indicating a deep understanding of the open-source ecosystem and its defenses.

Each malicious package, such as the npm package ‘paysafe-node,’ exports a class resembling a genuine payment client. It reads environment variables like PAYSAFE_API_KEY and logs every request. Instead of interacting with real Paysafe endpoints, the code returns fake success messages while a hidden function collects the developer’s hostname, username, working directory, and environment variables containing keywords like KEY, SECRET, TOKEN, PASS, AUTH, or API. This approach allows the malware to capture a wide range of sensitive information, including AWS secret keys, GitHub tokens, and npm publishing tokens. The exfiltrated data is then packaged into a JSON payload and sent to a remote server over HTTPS, all while the fake SDK appears to function normally.

The PyPI versions of these malicious packages exhibit similar behavior. However, they activate automatically upon import, rather than waiting for an API key to be set. This characteristic makes the Python packages particularly dangerous, as they can initiate data theft even in testing environments where live credentials may not be present.

To evade detection during automated analysis, the malware checks for indicators that it is running inside a sandbox or virtual machine before transmitting stolen data. It examines the number of available CPU cores and scans the hostname and username for terms like ‘sandbox’ or ‘analyze.’ If such conditions are detected, the malware refrains from sending the exfiltrated data, thereby reducing the likelihood of detection.

This incident underscores the critical importance of vigilance when integrating third-party packages into development projects. Developers should meticulously verify the authenticity of packages, especially those related to financial services, by cross-referencing official documentation and repositories. Implementing robust security practices, such as regular audits of dependencies and the use of automated tools to detect malicious code, can help mitigate the risks associated with supply chain attacks. As threat actors continue to exploit the trust inherent in open-source ecosystems, maintaining a proactive and security-conscious development environment is essential to safeguarding sensitive information and maintaining the integrity of software projects.