> Back to All Posts

Fake Paysafe, Skrill npm Packages Steal Developer Data

fake Paysafe Skrill npm packages

Developers building payment integrations just became the target of a coordinated supply chain attack. Security researchers uncovered fake Paysafe and Skrill npm packages designed to look like legitimate SDKs, but built instead to steal credentials from anyone who installed them. The campaign also spread through PyPI, Python’s package repository, hitting developers across two of the most widely used software ecosystems at once.

This wasn’t a small, isolated incident. At least 17 malicious packages went live simultaneously, impersonating SDKs for three major payment platforms: Paysafe, Skrill, and Neteller. For developers working on e-commerce sites, gaming platforms, or betting and crypto exchange services, the packages looked exactly like what they needed. That’s precisely what made them dangerous.

How the Attack Worked

Application security firm Socket identified the malicious packages and broke down their strategy. Package names like paysafe-checkout, skrill-payments, and neteller-api closely mirrored real SDK naming conventions, so developers had little reason to suspect anything was wrong. Thirteen packages appeared on npm, while four more surfaced on PyPI.

The npm versions shipped through four separate releases, numbered 1.0.0 through 1.0.3. The PyPI packages stopped at version 1.0.0. Each one mimicked real SDK behavior convincingly. Functions returned fake “success” responses instead of connecting to Paysafe’s actual backend, so a developer testing the integration would see everything working as expected.

Behind that fake success message, the packages were doing something else entirely. They harvested secrets directly from developer environments, including API keys, tokens, and passwords, then sent that data to a command-and-control server hosted on AWS infrastructure.

What Got Stolen

The scope of stolen data went well beyond payment credentials. Once installed, the fake Paysafe Skrill npm packages collected a wide range of sensitive information: Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostnames, usernames, and general API usage metadata.

That combination matters because it doesn’t just compromise a single service. A stolen GitHub token can open access to private repositories. An AWS key can expose entire cloud infrastructures. So a single bad install could cascade into a much larger breach, far beyond the original payment integration a developer was trying to build.

The npm and PyPI versions also behaved differently. On npm, the malicious code only activated if a real Paysafe API key was present, and it triggered when the fake SDK function was actually called. The PyPI packages skipped that step entirely. They activated automatically during initialization, with no API key required at all.

Built to Avoid Detection

The malware wasn’t sophisticated in every sense, but it did include basic anti-analysis logic meant to dodge security researchers and automated scanning tools. If the code detected fewer than two CPU cores, or found hostname and username strings commonly associated with sandboxed or virtual environments, it would simply halt.

This kind of check is common in malware built to survive longer in the wild. Automated security scanners often run in virtualized environments with limited resources, so malware that checks for those conditions can slip past detection while still functioning normally on a real developer’s machine.

Who Is at Risk

The targeting here wasn’t random. Paysafe, Skrill, and Neteller all serve high-value industries where fraud and financial theft carry real consequences. Betting platforms, crypto exchanges, and Forex services rely heavily on Skrill and Neteller for transactions, while Paysafe serves e-commerce sites, travel businesses, gaming platforms, and SaaS providers.

Researchers haven’t confirmed who is behind the campaign, but the coordination across two package registries suggests a technically capable actor. Some analysts believe this could be an early version of a larger, more organized effort still to come.

What Developers Should Do Now

Anyone who installed packages matching these names should treat their environment as compromised. Socket recommends rotating every secret on any machine where the packages were installed, including API keys, tokens, and passwords tied to Paysafe, AWS, GitHub, and npm accounts.

Development teams should also search their dependency trees for the specific package names involved and remove them immediately. Blocking these packages at the registry proxy level adds another layer of protection for organizations managing multiple projects. Reviewing CI and CD logs for any mention of a Paysafe API key alongside the malicious package names can also help identify how far the exposure spread.

Final Thoughts

This campaign is a reminder that open source package ecosystems remain a soft target for attackers looking for maximum impact with minimal effort. A single convincing package name can trick experienced developers, especially when it mimics a service they already trust.

The fake Paysafe Skrill npm packages didn’t rely on complex exploits or zero-day vulnerabilities. They relied on trust, familiarity, and the assumption that a package named after a known payment provider must be legitimate. As supply chain attacks like this one continue to grow more common, verifying package publishers, auditing dependencies regularly, and rotating credentials after any suspicious installs are no longer optional steps. They’re basic hygiene for anyone building software that touches financial data.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.