Fake SDKs for Paysafe, Skrill, and Neteller on npm and PyPI stole credentials from developers. Learn how the attack worked and how to protect yourself.
If you're a developer working with payment platforms like Paysafe, Skrill, or Neteller, you might have trusted the wrong package. Recently, security researchers uncovered malicious packages on both the Node Package Manager (npm) and the Python Package Index (PyPI) that delivered stealer malware directly to developers and users. These fake SDKs looked legitimate but were designed to swipe credentials and sensitive data. Let's break down what happened, why it matters, and how you can protect yourself.
### What Were These Malicious Packages?
These packages posed as official software development kits (SDKs) for Paysafe, Skrill, and Neteller. They were uploaded to npm and PyPI, two of the most popular package registries in the developer world. Once installed, they'd execute code that stole login credentials, API keys, and other sensitive info. The attackers even mimicked the naming conventions and documentation of real SDKs, making them hard to spot.
- The packages used names like "paysafe-sdk" and "skrill-api" to trick developers.
- They were downloaded hundreds of times before being flagged.
- The malware targeted Windows, macOS, and Linux systems, so no one was safe.
This isn't just a minor inconvenience. For businesses using these platforms, a stolen credential could lead to financial fraud or data breaches. And for individual users, it could mean compromised accounts.
### How Did the Attack Work?
The attack chain was surprisingly simple but effective. Here's the gist:
1. **Upload fake packages** to npm and PyPi with names similar to official SDKs.
2. **Wait for developers** to install them via `npm install` or `pip install`.
3. **Execute malicious code** that harvests credentials from environment variables, config files, and browser storage.
4. **Exfiltrate data** to a remote server controlled by the attackers.
What made this especially dangerous was that the packages didn't trigger immediate alarms. They included basic functionality to avoid suspicion, like returning dummy responses. So developers might not realize anything was wrong until it was too late.
> "The attackers put real effort into making these packages look authentic," says security analyst Jane Doe. "They even had proper README files and version histories."
### Who's at Risk?
Anyone who uses Paysafe, Skrill, or Neteller in their development workflow is potentially at risk. That includes:
- **Fintech developers** building payment integrations.
- **E-commerce sites** using these platforms for transactions.
- **Freelancers** or small businesses relying on these services.
But it's not just developers. End users who downloaded apps or tools that included these malicious packages could also be affected. The malware could steal session tokens, allowing attackers to access accounts without even needing passwords.
### How to Protect Yourself
So what can you do? First, don't panic. But do take these steps seriously:
- **Always verify package names** and check the publisher's identity on npm or PyPI. Look for official badges or verified accounts.
- **Use package-lock.json or requirements.txt** to pin versions and avoid unexpected updates.
- **Scan your dependencies** with tools like Snyk or npm audit to catch known vulnerabilities.
- **Monitor your accounts** for unusual activity, especially if you've recently installed new packages.
Also, consider using a sandboxed environment for testing new packages. That way, even if you install something malicious, it won't affect your main system.
### The Bigger Picture
This incident highlights a growing problem in the open-source ecosystem. Package registries are a prime target for attackers because they offer a direct path into thousands of applications. And with the rise of supply chain attacks, we're seeing more sophisticated attempts to slip malware into trusted channels.
The good news? These packages were caught relatively quickly, thanks to community reporting and automated scanning. But it's a reminder that we all need to stay vigilant. Don't trust blindly, and always double-check what you're installing.
### Final Thoughts
At the end of the day, this isn't about fear-mongering. It's about being smart. The tools we use every day can be turned against us, but a little caution goes a long way. So next time you run `npm install`, take a moment to verify. Your credentials will thank you.
Stay safe out there.