A new software supply-chain attack targeting developers has come to light after cybersecurity firm Socket discovered 17 fake Software Development Kit (SDK) packages masquerading as official Paysafe, Skrill, and Neteller libraries on the Node Package Manager (npm) and the Python Package Index (PyPI). The malicious packages are designed to steal sensitive credentials, API keys, and access tokens from compromised development environments.
According to the researchers, the threat actor simultaneously published 13 malicious npm packages and four PyPI packages. Although these packages appear to function as legitimate payment SDKs and expose the expected APIs, they do not communicate with the official payment platforms. Instead, they return fake success responses while secretly collecting sensitive information and transmitting it to a command-and-control (C2) server hosted on Amazon Web Services (AWS).
The affected packages include paysafe-checkout, paysafe-vault, paysafe-api, paysafe-node, paysafe-payments, paysafe-sdk, paysafe-kyc, skrill, skrill-sdk, skrill-payments, and neteller, among others. On npm, the attackers released four malicious versions ranging from 1.0.0 to 1.0.3, while each PyPI package was published as version 1.0.0.
Analysis revealed that the malicious packages search infected systems for Paysafe API keys, AWS access keys, GitHub tokens, npm tokens, passwords, hostnames, usernames, and API usage metadata before exfiltrating the information to the attackers.
Socket noted that the npm variants activate the data theft routine only when a Paysafe API key is present and the fake SDK is invoked. In contrast, the PyPI packages automatically execute the credential-stealing functionality upon initialization and do not require the presence of a Paysafe API key.
The researchers also identified basic anti-analysis techniques embedded in the malware. The malicious code terminates execution if it detects fewer than two CPU cores or if the hostname or username suggests that it is running inside a virtual machine or an analysis environment, making security analysis more difficult.
Although the identity of the threat actor remains unknown, the researchers believe the campaign demonstrates a technically capable adversary that may launch more sophisticated attacks in the future. They also warned that targeting both the npm and PyPI ecosystems simultaneously increases the complexity of detection and defense for software supply-chain security.
A Researcher at Algoritha Security said that the growing reliance on open-source packages has become one of the greatest strengths of modern software development, but it has also introduced significant supply-chain risks. Developers should carefully verify package publishers, download history, digital signatures, and community reputation before integrating third-party libraries. Organizations should also make Software Composition Analysis (SCA), dependency scanning, and registry monitoring integral components of their secure software development lifecycle.
Socket has advised organizations that installed or executed any of the identified packages to immediately rotate all API keys, access tokens, passwords, and other secrets. The company also recommends reviewing project dependency trees, auditing CI/CD logs, blocking the malicious package names at the registry proxy level, and searching Continuous Integration logs for PAYSAFE_API_KEY in conjunction with the listed package names to identify potential compromise.
