Malicious SDK Packages Target Paysafe, Skrill, and Neteller Users

Malicious SDK Packages Target Paysafe, Skrill, and Neteller Users

First seen 9 Jul 2026, 10:55 UTC BleepingcomputerGbhackersCybersecuritynewssocket.dev 81% similarity 69.0

Article Content

Browse articles
ThreatCluster

A coordinated malware campaign has been identified, involving 17 malicious packages on npm and PyPI masquerading as legitimate SDKs for Paysafe, Skrill, and Neteller. These packages were designed to exfiltrate sensitive credentials, including API keys and tokens, from developers' environments. The npm packages included four versions, while the PyPI packages contained a single version. The malicious code activates upon initialization, with npm packages triggering only if a Paysafe API key is present. The stolen data is sent to a command-and-control server hosted on AWS. Security researchers from Socket have issued warnings about the potential for further attacks due to the technical capabilities of the threat actor. Developers are advised to rotate all secrets and search dependency trees for the malicious packages. The attack highlights vulnerabilities in the software supply chain, particularly in popular development ecosystems.

Key Points: • 17 malicious packages were identified on npm and PyPI, impersonating payment SDKs. • The malware targets developers by stealing API keys and tokens from their environments. • Immediate action is recommended for affected developers to rotate secrets and check dependencies.

ThreatCluster AI

Timeline

2026-07-08
Malicious packages discovered
Researchers identified 17 fake SDK packages on npm and PyPI designed to steal credentials from developers.
Bleepingcomputer
2026-07-09
Security advisory issued
Socket researchers warned developers to rotate secrets and search for malicious packages in their environments.
Cybersecuritynews
Recent
Threat actor analysis
Analysis suggests the threat actor has technical expertise and may conduct further organized attacks.
Gbhackers

Community

Browse all →