At least 17 malicious packages on npm and PyPI masqueraded as legitimate Paysafe, Skrill, and Neteller SDKs, deploying credential-stealing malware. This attack could compromise sensitive user data, impacting developers and businesses relying on these payment services.
Malicious software was discovered in multiple packages on the Node Package Manager (npm) and Python Package Index (PyPI), designed to impersonate official Paysafe, Skrill, and Neteller SDKs. The threat actor published 17 versions that infiltrated developer environments with malicious intent.
Developers use these SDKs to integrate secure payment options into applications. The compromised packages exfiltrate sensitive data including API keys and user credentials to an AWS-hosted command-and-control server.
Given the popularity of these payment platforms, the attack could potentially affect a significant number of e-commerce sites, online marketplaces, and forex trading platforms.
The identified packages included names such as 'npm/paysafe-checkout' and 'pypi/paysafe-sdk'. Each npm package had versions from 1.0.0 to 1.0.3, while PyPI packages only had a single version. These packages pretended to provide legitimate SDK functionality but returned fake success responses instead of genuine backend communications.
The malicious code embedded in these packages specifically targets credentials and sensitive keys, highlighting a coordinated effort to exploit vulnerabilities in developer workflows. The npm packages activate data exfiltration only when a Paysafe API key is detected, whereas the PyPI versions initiate this process upon initialization.
This incident underlines the critical need for developers to verify package integrity before integration. Increased vigilance in monitoring package sources and employing security measures can mitigate risks associated with such attacks.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
At least 17 malicious packages on npm and PyPI masqueraded as legitimate Paysafe, Skrill, and Neteller SDKs, deploying credential-stealing malware. This attack could compromise sensitive user data, impacting developers and businesses relying on these payment services.