Researchers have uncovered fake Software Development Kits (SDKs) for Paysafe, Skrill, and Neteller on the Node Package Manager (npm) and the Python Package Index (PyPI). These counterfeit packages are designed to steal credentials from unsuspecting developers and users who integrate them into their projects. The discovery highlights a growing trend where supply chain attacks target popular package repositories to distribute malware.
The malicious payload, a stealer malware, captures sensitive data such as login credentials and financial information. The threat is particularly severe for developers who may inadvertently incorporate these rogue SDKs into their codebases, potentially compromising downstream applications and their end users. Active exploitation has not been explicitly confirmed, but the presence of these packages on public registries increases the attack surface dramatically.
Attackers lured victims by creating packages with names similar to legitimate Paysafe, Skrill, and Neteller SDKs. Once installed, the malware exfiltrates stored credentials and session tokens to a remote command-and-control server. No specific indicators of compromise (IOCs) have been publicly released at this time, but security firms are likely analyzing the packages for additional IoCs.
As of publication, both npm and PyPI have not issued widespread warnings, though the malicious packages may have been removed from the registries. Developers are advised to verify package integrity by checking hashes against official projects and to avoid blindly installing SDKs from third-party or unverified sources. No official patches or workarounds from Paysafe or Skrill have been announced.
Attribution for the campaign remains unknown. The attack fits a broader pattern of supply chain compromises targeting financial technology services, emphasizing the need for rigorous code vetting and registry hygiene.