Fake Paysafe and Skrill SDKs on npm and PyPI Steal Developer Credentials

 

A coordinated supply-chain attack has compromised developers by distributing 17 malicious packages on npm and PyPI that impersonate legitimate SDKs for Paysafe, Skrill, and Neteller payment services. These packages were designed to silently exfiltrate sensitive credentials, including API keys, AWS tokens, GitHub secrets, and npm tokens, to a command-and-control server hosted on Amazon Web Services. 

The threat actor published these fake SDKs with names closely resembling official payment integration libraries, such as paysafe-checkout, skrill-payments, and paysafe-api. While the packages expose expected APIs and return fake success responses to avoid detection, their real purpose is credential theft. The embedded malware scans the compromised environment for secrets and exfiltrates them to the attacker’s server. 

Security researchers at Socket identified 13 malicious npm packages and four PyPI packages in this campaign. The npm packages were released in four versions (1.0.0 to 1.0.3), while the PyPI packages had only one malicious version (1.0.0). The full list includes well-known names like paysafe-js, paysafe-fraud, skrill-sdk, neteller, and paysafe-kyc. Developers who installed any of these packages risked having their secrets stolen, especially if they were working on payment integration projects for these services. The data theft module in the npm packages attempts exfiltration only if a Paysafe API key is present and activates when the fake SDK is called. The PyPI packages automatically activate the data theft routine upon initialization and do not require a Paysafe API key to be present at all. 

The malware incorporates basic anti-analysis features to avoid detection in sandboxed or virtualized environments. For instance, it halts execution if it detects fewer than two CPU cores or if the hostname or username suggests a virtual machine. To detect potential compromise, organizations should search their dependency trees for the listed package names and scan CI/CD logs for PAYSAFE_API_KEY in combination with these packages. Denying requests for these packages at the registry proxy level is also recommended to prevent accidental installation. If any of the listed packages were installed, developers are recommended to immediately rotate all secrets on any machine that imported or executed this package. 

The researchers also advise searching dependency trees for the package names used in the campaign and deny any requests for them at the registry proxy level. It is also recommended to look in the logs of Continuous Integration (CI) systems for PAYSAFE_API_KEY in combination with any of the listed package names. Additionally, teams should audit their project dependencies and CI/CD pipelines to ensure no traces of these malicious packages remain. Staying vigilant and verifying package sources before installation remains crucial to avoiding similar supply-chain attacks in the future. This incident highlights the growing sophistication of attackers targeting open-source repositories and the critical need for robust software supply-chain security practices. 

Developers must remain cautious when integrating third-party libraries into their projects, especially those related to financial s

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: