Fake Paysafe and Skrill SDKs on npm and PyPI Steal Developer Credentials
What happened
Researchers at Socket found a software supply-chain campaign using fake npm and PyPI packages that impersonated Paysafe, Skrill, and Neteller payment SDKs to steal developer credentials and access tokens.
The threat actor published at least 17 malicious packages across npm and PyPI. The packages appeared to offer payment integration functionality for developers working with Paysafe, Skrill, and Neteller, but their real purpose was to search development environments for secrets and exfiltrate them to a command-and-control server hosted on AWS.
Socket identified the malicious packages as:
npm/paysafe-checkoutnpm/paysafe-vaultnpm/netellernpm/skrill-paymentsnpm/paysafe-jsnpm/paysafe-apinpm/paysafe-nodenpm/paysafe-cardsnpm/paysafe-fraudnpm/paysafe-kycnpm/skrillnpm/skrill-sdknpm/paysafe-paymentspypi/paysafe-kycpypi/paysafe-paymentspypi/paysafe-sdkpypi/paysafe-api
The packages were designed to look credible by exposing expected SDK-style APIs. Instead of communicating with real payment backend services, they returned fake success responses while searching for sensitive data such as Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostnames, usernames, and API usage metadata.
Socket found that the npm packages attempted exfiltration only when a Paysafe API key was present and the fake SDK was called. The PyPI packages were more aggressive, activating their data theft routine when initialized and without requiring a Paysafe API key to be present. The malware also included basic anti-analysis checks, such as stopping execution when it detected fewer than two CPU cores or hostnames and usernames suggesting a virtualized analysis environment.
Who is affected
Developers and organizations that installed the fake Paysafe, Skrill, or Neteller packages from npm or PyPI are directly affected.
The risk is highest for teams building payment integrations, e-commerce platforms, online marketplaces, SaaS billing systems, gaming platforms, travel services, digital wallets, crypto platforms, Forex tools, and online betting systems.
Organizations may also be exposed if the packages were installed in CI/CD systems, developer workstations, containers, build servers, or test environments containing API keys, GitHub tokens, npm tokens, AWS credentials, or payment-related secrets.
Why CISOs should care
This campaign targets the software supply chain around payment infrastructure. Instead of attacking production payment systems directly, the threat actor placed fake SDKs where developers might search for integration packages.
For CISOs, the danger is that fake SDKs can appear functional enough to pass early testing. Returning fake success responses allows the package to blend into development workflows while quietly collecting secrets.
The cross-registry approach also matters. Socket noted that the attacker operated across both npm and PyPI, which creates visibility gaps for organizations that monitor only one package ecosystem.
The stolen credential types are especially sensitive. AWS keys, GitHub tokens, npm tokens, and payment API keys can be used for cloud abuse, source-code access, package tampering, payment fraud, or follow-on compromise of software pipelines.
3 practical actions
Search dependency trees for the malicious packages: Security teams should check npm and PyPI dependencies for the listed package names and block them at registry proxy or package-management controls.
Rotate exposed secrets immediately: Any developer machine, CI job, container, or build environment that imported or executed one of the packages should be treated as compromised. Rotate Paysafe API keys, AWS keys, GitHub tokens, npm tokens, and any other secrets present in the environment.
Review CI logs and package activity: Teams should search CI logs for
PAYSAFE_API_KEYalongside the malicious package names, investigate suspicious package installs, and monitor for unusual use of cloud, GitHub, npm, and payment API credentials.
Recent cybersecurity news:


