← All articles

Fake payment SDKs on npm and PyPI steal developer and cloud credentials

Socket found a coordinated campaign of 17 malicious packages on npm and PyPI that impersonate the payment SDKs for Paysafe, Skrill, and Neteller to steal developer and cloud credentials. The fake libraries mimic real SDKs, returning success responses without contacting the real services, while quietly harvesting environment secrets such as Paysafe API keys, AWS keys, and GitHub and npm tokens and sending them to a server on AWS. Because these packages get pulled into build pipelines, a single one reaching a continuous integration runner can hand over the broad credentials those runners hold. The npm versions trigger when a payment key is present; the PyPI versions run on install regardless.

Check
Audit your dependency trees and continuous integration logs for the named fake Paysafe, Skrill, and Neteller packages, and search for the PAYSAFE_API_KEY variable appearing alongside unfamiliar package names.
Affected
Developers and CI/CD pipelines integrating Paysafe, Skrill, or Neteller that pulled the malicious packages; the fake SDKs steal payment API keys, AWS credentials, and GitHub and npm tokens from build environments.
Fix
Remove any affected packages, rotate exposed API keys, cloud credentials, and registry tokens, pin and verify dependencies against official SDK names, and limit the credentials and permissions available inside CI/CD runners.