Malicious SDKs on npm and PyPI Target Payment Platforms for Credential Theft

Malicious SDKs on npm and PyPI Target Payment Platforms for Credential Theft

First seen 9 Jul 2026, 10:55 UTC BleepingcomputerGbhackerssocket.dev 81% similarity 64.5

Article Content

Browse articles
ThreatCluster

A coordinated supply-chain attack has been identified, involving 17 malicious packages on npm and PyPI that impersonate SDKs for Paysafe, Skrill, and Neteller. These packages were designed to exfiltrate sensitive credentials and access tokens to a command-and-control server. The npm packages included four malicious versions, while the PyPI packages had a single version. The attack primarily targets software developers integrating these payment SDKs into their applications. The malicious code searches for secrets such as API keys and passwords, with npm packages activating only if a Paysafe API key is present, while PyPI packages activate automatically. Security researchers recommend immediate action for developers who may have installed these packages, including rotating all secrets and searching dependency trees. The threat actor remains unidentified, but their technical sophistication suggests a potential for future organized attacks.

Key Points: • 17 malicious packages were published on npm and PyPI, masquerading as payment SDKs. • The attack targets developers of Paysafe, Skrill, and Neteller applications for credential theft. • Immediate action is advised for affected developers to rotate secrets and check dependency trees.

ThreatCluster AI

Timeline

2026-07-08
Malicious packages discovered on npm and PyPI
Security researchers identified 17 malicious packages impersonating payment SDKs, targeting developers.
Bleepingcomputer
2026-07-09
Security recommendations issued
Researchers advised developers to rotate secrets and search for malicious packages in their dependency trees.
Gbhackers

Community

Browse all →