Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials
Malicious packages impersonating Paysafe, Skrill, and Neteller SDKs were published on npm and PyPI, delivering stealer malware designed to harvest credentials from developers and application users.
- Disclosed
- Last updated
- Blast radius
- Developers and users of Paysafe, Skrill, and Neteller payment applications who installed the malicious SDKs.
- Attack vectors
- Affected entities
- Paysafe SDK (fake)Malicious SDK impersonating Paysafe on npm and PyPI
- Skrill SDK (fake)Malicious SDK impersonating Skrill on npm and PyPI
- Neteller SDK (fake)Malicious SDK impersonating Neteller on npm and PyPI
Fake SDKs for Paysafe, Skrill, and Neteller payment platforms were discovered on the Node Package Manager (npm) and Python Package Index (PyPI) repositories. These malicious packages were designed to impersonate legitimate payment service SDKs, likely using typosquatting or similar naming tactics to deceive developers into installing them.\n\nThe packages contained stealer malware that targeted credential theft from both developers who installed the packages and end-users of applications that integrated the compromised SDKs. This represents a significant supply chain risk, as compromised payment SDKs can expose sensitive financial and authentication data.\n\nThe incident affected developers across both the Node.js and Python ecosystems who relied on these payment service integrations.
Indicators of compromise
- Packages
- paysafe (fake)
- skrill (fake)
- neteller (fake)
Remediation
- Immediately audit npm and PyPI installations for any Paysafe, Skrill, or Neteller SDK packages and verify their authenticity against official vendor repositories
- Remove any suspicious or unverified payment SDK packages from production environments
- Review package.json and requirements.txt files for typosquatted or unofficial package names
- Rotate all credentials and API keys that may have been exposed through the malicious SDKs
- Monitor for unauthorized access to payment accounts and financial systems
- Use official package sources and verify package signatures when available
- Implement dependency scanning tools to detect known malicious packages
Sources
- Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials · BleepingComputer
Cite this entry
"Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 8, 2026; last updated July 8, 2026. https://supplychainattack.org/incident/fake-paysafe-skrill-sdks-on-npm-and-pypi-steal-credentials-p02gb6
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activehigh
Malicious PyPI packages give hackers control of Telegram bot servers
A campaign active since November 2025 has distributed malicious PyPI packages—trojanized Pyrogram forks—targeting Python developers building Telegram bots. The compromised packages allow attackers to read arbitrary files on affected servers.
PyPICompromised packageTyposquatting - activecritical
Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat
On June 17, 2026, an attacker compromised the @mastra npm organization and injected easy-day-js, a typosquat of the popular dayjs library, as a dependency across 140+ packages. The malicious package contained an obfuscated postinstall dropper that downloaded and executed a second-stage payload from attacker-controlled servers before self-deleting. The affected packages had a combined weekly download count exceeding 1.1 million.
npmCompromised packageTyposquattingMalicious maintainer - containedcritical
Malware in tailwind-core
Malware was distributed via the npm package tailwind-core. Systems with the package installed are considered fully compromised and require immediate remediation.
npmCompromised package - resolvedcritical
Malware in rony-testing
The npm package rony-testing contained malware that provided full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package