Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials

Malicious packages impersonating Paysafe, Skrill, and Neteller SDKs were published on npm and PyPI, delivering stealer malware designed to harvest credentials from developers and application users.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Developers and users of Paysafe, Skrill, and Neteller payment applications who installed the malicious SDKs.
Ecosystems
Attack vectors
Affected entities
  • Paysafe SDK (fake)Malicious SDK impersonating Paysafe on npm and PyPI
  • Skrill SDK (fake)Malicious SDK impersonating Skrill on npm and PyPI
  • Neteller SDK (fake)Malicious SDK impersonating Neteller on npm and PyPI

Fake SDKs for Paysafe, Skrill, and Neteller payment platforms were discovered on the Node Package Manager (npm) and Python Package Index (PyPI) repositories. These malicious packages were designed to impersonate legitimate payment service SDKs, likely using typosquatting or similar naming tactics to deceive developers into installing them.\n\nThe packages contained stealer malware that targeted credential theft from both developers who installed the packages and end-users of applications that integrated the compromised SDKs. This represents a significant supply chain risk, as compromised payment SDKs can expose sensitive financial and authentication data.\n\nThe incident affected developers across both the Node.js and Python ecosystems who relied on these payment service integrations.

Indicators of compromise

Packages
  • paysafe (fake)
  • skrill (fake)
  • neteller (fake)

Remediation

  • Immediately audit npm and PyPI installations for any Paysafe, Skrill, or Neteller SDK packages and verify their authenticity against official vendor repositories
  • Remove any suspicious or unverified payment SDK packages from production environments
  • Review package.json and requirements.txt files for typosquatted or unofficial package names
  • Rotate all credentials and API keys that may have been exposed through the malicious SDKs
  • Monitor for unauthorized access to payment accounts and financial systems
  • Use official package sources and verify package signatures when available
  • Implement dependency scanning tools to detect known malicious packages

Sources

  1. Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials · BleepingComputer

Cite this entry

"Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 8, 2026; last updated July 8, 2026. https://supplychainattack.org/incident/fake-paysafe-skrill-sdks-on-npm-and-pypi-steal-credentials-p02gb6

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activehigh

    Malicious PyPI packages give hackers control of Telegram bot servers

    A campaign active since November 2025 has distributed malicious PyPI packages—trojanized Pyrogram forks—targeting Python developers building Telegram bots. The compromised packages allow attackers to read arbitrary files on affected servers.

    PyPICompromised packageTyposquatting
  2. activecritical

    Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat

    On June 17, 2026, an attacker compromised the @mastra npm organization and injected easy-day-js, a typosquat of the popular dayjs library, as a dependency across 140+ packages. The malicious package contained an obfuscated postinstall dropper that downloaded and executed a second-stage payload from attacker-controlled servers before self-deleting. The affected packages had a combined weekly download count exceeding 1.1 million.

    npmCompromised packageTyposquattingMalicious maintainer
  3. containedcritical

    Malware in tailwind-core

    Malware was distributed via the npm package tailwind-core. Systems with the package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  4. resolvedcritical

    Malware in rony-testing

    The npm package rony-testing contained malware that provided full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package