Fake Paysafe and Skrill SDKs on npm and PyPI Are Actively Stealing Developer Credentials
What Happened
Malicious packages impersonating official SDKs for Paysafe, Skrill, and Neteller were published to both npm and PyPI. The packages delivered credential-stealing malware targeting developers who integrated payment processing into their applications. This is a textbook typosquatting or namespace-hijacking supply chain attack: the packages look legitimate enough to pass a casual glance during dependency setup, but execute stealer payloads on install or import.
The attack surface here is unusually wide. Paysafe operates Skrill and Neteller under the same umbrella, so a single developer integrating any of the three payment brands was a potential target. Stealer malware in this context typically exfiltrates environment variables, shell history, SSH keys, browser-stored credentials, and any secrets sitting in local config files — the full toolkit a developer's machine tends to accumulate.
Why It Matters
Payment SDK integrations are high-value targets precisely because the developers touching them tend to have access to production API keys, merchant credentials, and sometimes direct access to transaction data. A compromised developer workstation in a payment integration context isn't just a personal data loss — it's a potential path to production infrastructure and customer financial data.
Supply chain attacks via fake packages have escalated sharply in 2025–2026. The npm and PyPI ecosystems both have publish-on-demand models with minimal upfront vetting, and attackers have become sophisticated at timing uploads to coincide with new SDK announcements or version bumps when developers are actively searching for the latest package. If you or your team set up any Paysafe, Skrill, or Neteller integration recently, assume risk until proven otherwise.
What To Do
Audit your dependencies immediately. Check package.json, package-lock.json, requirements.txt, and Pipfile.lock for any packages referencing Paysafe, Skrill, or Neteller. Cross-reference exact package names and publisher accounts against the BleepingComputer report to identify the specific malicious package names flagged by researchers.
Check install logs. Run npm ls or pip show <package> to confirm what's actually installed. Review your CI/CD pipeline logs for any unexpected package installs in recent builds.
Rotate credentials if there's any doubt. If these packages were present in any environment — developer laptop, CI runner, Docker build — treat all secrets on that system as compromised. Rotate API keys, revoke OAuth tokens, cycle SSH keys, and audit access logs for your payment processor accounts and any cloud infrastructure accessible from the affected machine.
Remove and report. Uninstall the malicious packages, then report them directly to npm security and PyPI's security team if they haven't already been pulled. Both registries accept abuse reports and can block re-uploads under the same name.
Harden going forward. Lock dependency versions with integrity hashes (npm ci with a committed lockfile; pip install --require-hashes). Consider a private registry mirror or a tool like Socket.dev or Snyk that scans for supply chain anomalies before install.
Synthesized by Claude · sanity-checked before publish.