Fake Paysafe and Skrill SDKs on npm and PyPI Went After Developers' Secrets

A single attacker uploaded 17 lookalike payment packages that quietly stole API keys, cloud credentials and GitHub tokens from anyone who installed them.

ThreatVectr Newsdesk· 4 min read
Full-frame overhead photo of a developer's dark wooden desk lit by warm lamplight, showing an open laptop with generic blurred code on screen, a small stack of
Share

Key points

  • A single attacker uploaded 17 fake payment packages to the npm and PyPI software libraries, first reported by BleepingComputer.
  • The packages impersonated official code kits for Paysafe, Skrill and Neteller, three widely used online payment services.
  • Once installed, the code hunted for Paysafe API keys, Amazon Web Services keys, GitHub tokens and npm tokens, then sent them to a server the attacker controlled.
  • Socket, the application security firm that spotted the campaign, says the stolen data was sent to a command server hosted on Amazon Web Services.
  • Any developer who installed one of the packages is advised to rotate every secret on the affected machine immediately.

Someone with time on their hands went shopping in the developer aisle again.

Researchers at Socket, an application security firm, have flagged 17 malicious software packages uploaded to npm and PyPI, the two big public libraries where programmers grab ready-made code to plug into their apps. npm serves the JavaScript world. PyPI serves Python. Both are, in effect, app stores for developers. And both keep getting used as delivery vans for credential theft.

The packages in this batch all pretended to be official code kits, known as SDKs, for three real payment brands: Paysafe, Skrill and Neteller. Paysafe handles payments for online shops, travel sites, games and software companies. Skrill and Neteller are digital wallets popular with online betting sites, cryptocurrency exchanges and foreign-exchange traders. If you build software for any of those industries, installing a Paysafe SDK is a normal Tuesday.

That is exactly what the attacker was counting on.

What did the fake packages actually do?

They stole secrets. The code looked and behaved like a real payment kit, even answering with fake "success" messages so a developer testing it would think everything was working. Behind the scenes, it rummaged through the machine for anything valuable: Paysafe API keys, Amazon Web Services keys, GitHub tokens, npm tokens, plus the machine's hostname and username. All of that was quietly shipped off to a server the attacker had set up on Amazon's cloud.

An API key, if you have not met the term, is basically a password that lets one piece of software talk to another. Steal a company's Paysafe API key and you can start impersonating that company to Paysafe. Steal its AWS keys and you may be able to spin up servers, read databases, or drain a cloud account.

The npm versions were slightly more patient. They only phoned home if a Paysafe API key was actually present on the machine. The PyPI versions were greedier: they ran their theft routine the moment they were loaded, key or no key.

Both versions included some light checks to avoid running inside a researcher's test environment. If the machine had fewer than two processor cores, or the hostname looked like a sandbox, the malware went quiet. Nothing fancy. Enough to slow down casual analysis.

Should ordinary customers of Paysafe or Skrill be worried?

Not directly. The attack targeted developers, not end users, and there is no sign the payment services themselves were broken into. Paysafe's, Skrill's and Neteller's own systems are not the victims here. The victims are the software teams who might have pulled a poisoned package into a build.

If you are a customer, keep doing the sensible things: watch your statements, and treat any unexpected email about your account as suspect until proven otherwise.

If you are a developer, the guidance from Socket is blunt. Check your dependency lists for the 17 package names. If any of them touched your machine or your build pipeline, rotate every secret on that machine, then hunt through your continuous integration logs for the string PAYSAFE_API_KEY next to any of the listed package names. Continuous integration, or CI, is just the automated system that builds and tests code every time a developer pushes an update.

The full package list is in Socket's writeup, and the names all follow the obvious pattern: paysafe-checkout, paysafe-vault, skrill-sdk, neteller, and so on. Registry proxies can be told to refuse them outright.

Socket's researchers think whoever ran this campaign is competent enough to try again, possibly under different names. Typosquatting on package registries is not a new trick. It is the developer equivalent of a fake login page: cheap, repeatable, and it only has to work once.

© 2026 Threat Vectr