Bleepingcomputer
Malicious SDK Packages Target Paysafe, Skrill, and Neteller Users
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A coordinated malware campaign has been identified, involving 17 malicious packages on npm and PyPI masquerading as legitimate SDKs for Paysafe, Skrill, and Neteller. These packages were designed to exfiltrate sensitive credentials, including API keys and tokens, from developers' environments. The npm packages included four versions, while the PyPI packages contained a single version. The malicious code activates upon initialization, with npm packages triggering only if a Paysafe API key is present. The stolen data is sent to a command-and-control server hosted on AWS. Security researchers from Socket have issued warnings about the potential for further attacks due to the technical capabilities of the threat actor. Developers are advised to rotate all secrets and search dependency trees for the malicious packages. The attack highlights vulnerabilities in the software supply chain, particularly in popular development ecosystems.
Key Points: • 17 malicious packages were identified on npm and PyPI, impersonating payment SDKs. • The malware targets developers by stealing API keys and tokens from their environments. • Immediate action is recommended for affected developers to rotate secrets and check dependencies.