Bleepingcomputer
Malicious SDKs on npm and PyPI Target Payment Platforms for Credential Theft
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A coordinated supply-chain attack has been identified, involving 17 malicious packages on npm and PyPI that impersonate SDKs for Paysafe, Skrill, and Neteller. These packages were designed to exfiltrate sensitive credentials and access tokens to a command-and-control server. The npm packages included four malicious versions, while the PyPI packages had a single version. The attack primarily targets software developers integrating these payment SDKs into their applications. The malicious code searches for secrets such as API keys and passwords, with npm packages activating only if a Paysafe API key is present, while PyPI packages activate automatically. Security researchers recommend immediate action for developers who may have installed these packages, including rotating all secrets and searching dependency trees. The threat actor remains unidentified, but their technical sophistication suggests a potential for future organized attacks.
Key Points: • 17 malicious packages were published on npm and PyPI, masquerading as payment SDKs. • The attack targets developers of Paysafe, Skrill, and Neteller applications for credential theft. • Immediate action is advised for affected developers to rotate secrets and check dependency trees.