Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
Summary
Hide ▲
Show ▼
Malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs delivered stealer malware that siphoned secrets from developer environments and user workflows. The packages harvested credentials, access tokens, and other secrets, then sent them to an AWS-hosted command-and-control server. That supply-chain abuse expanded risk across both registries and increased the chance of account takeover and downstream compromise.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Asteroiddao hit by network compromise
Incident
H score13
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
Asteroiddao hit by network compromise
IncidentAbout this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Timeline
-
08.07.2026 22:54 2 articles · 1d ago
Malicious npm and PyPI packages impersonate Paysafe, Skrill, and Neteller SDKs
Initial DisclosureMalicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) impersonated Paysafe, Skrill, and Neteller SDKs, exposed expected APIs, returned fake success responses, and exfiltrated credentials and access tokens to an AWS-hosted command-and-control server. Socket said the packages targeted developers working with Paysafe integrations, with npm packages activating when a Paysafe API key was present and the fake SDK was called, while PyPI packages activated on initialization; the malware also gathered Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostname, username, and API-usage metadata, and used basic anti-analysis checks.
Show sources
- Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials — www.bleepingcomputer.com — 08.07.2026 22:54
- Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials — www.bleepingcomputer.com — 08.07.2026 22:54