Fake Payment SDKs Used in Sophisticated Campaign to Steal Developer API Keys
A coordinated malware campaign distributed 17 fake npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs, designed to steal developer API keys and sensitive credentials.

A sophisticated malware campaign has been uncovered targeting developers through malicious packages disguised as official software development kits (SDKs) for popular online payment platforms Paysafe, Skrill, and Neteller. The attackers successfully published seventeen packages across the npm and PyPI repositories, all designed to mimic legitimate payment processing tools while secretly harvesting API keys, tokens, and other sensitive credentials from unsuspecting developers.
Researchers from Socket.dev identified the campaign, noting that the fake packages provided no actual payment functionality. Instead, they returned fabricated success messages to avoid raising suspicion. While appearing to process transactions, the malicious code silently collected critical information such as hostnames, usernames, working directories, and environment variables containing keywords like KEY, SECRET, TOKEN, PASS, AUTH, or API. This allowed the malware to exfiltrate not only payment-specific credentials but also other sensitive data like AWS secret keys and GitHub tokens.
The attackers employed advanced techniques to evade detection. Each package utilized unique obfuscation keys, preventing simple signature-based analysis by antivirus software. Furthermore, the malware incorporated sandbox evasion mechanisms, checking for signs of virtualized environments or analysis tools before initiating data exfiltration. This indicates a threat actor well-versed in the nuances of open-source ecosystems and security defenses.
The campaign's command and control (C2) infrastructure was also deliberately obscured. The C2 address was hidden behind multiple layers of encoding, requiring a combination of XOR operations, character shifts, and string reversals to reveal the actual domain. This domain was hosted on ngrok, a legitimate tunneling service often abused by cybercriminals to mask their server locations. Notably, the IP address associated with this ngrok domain had previously been linked to other credential-stealing malware operations, suggesting potential collaboration with established cybercrime groups.
The malicious packages were distributed across both JavaScript (npm) and Python (PyPI) ecosystems. The npm packages, such as paysafe-node, exported a facade class that intercepted API key requests. The PyPI versions, however, were designed to activate automatically upon import, making them potentially more dangerous as they could trigger data theft even in development or testing environments where live credentials might not be expected.
Socket.dev recommends that any developers who may have installed these packages immediately rotate all potentially exposed secrets. They also advise scanning dependency trees for the identified malicious package names, blocking them at the registry proxy level, and auditing build logs for suspicious outbound connections to ngrok-free.dev domains. The campaign underscores the persistent risks associated with the open-source software supply chain, particularly for critical infrastructure like payment processing.
This incident highlights the evolving tactics of threat actors who leverage the trust developers place in public repositories. By impersonating legitimate services and employing sophisticated evasion techniques, these attackers aim to compromise developer environments and gain access to valuable credentials, ultimately threatening the integrity of financial transactions and cloud infrastructure.