Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs delivered stealer malware that siphoned secrets from developer environments and user workflows. The packages harvested credentials, access tokens, and other secrets, then sent them to an AWS-hosted command-and-control server. That supply-chain abuse expanded risk across both registries and increased the chance of account takeover and downstream compromise.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Asteroiddao hit by network compromise

Incident
H score13 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **asteroiddao** suffered a compromised-account incident that let malicious npm package versions and repository commits seed a wider **supply-chain attack**. The account was used t...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Timeline

  1. 08.07.2026 22:54 2 articles · 1d ago

    Malicious npm and PyPI packages impersonate Paysafe, Skrill, and Neteller SDKs

    Initial Disclosure

    Malicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) impersonated Paysafe, Skrill, and Neteller SDKs, exposed expected APIs, returned fake success responses, and exfiltrated credentials and access tokens to an AWS-hosted command-and-control server. Socket said the packages targeted developers working with Paysafe integrations, with npm packages activating when a Paysafe API key was present and the fake SDK was called, while PyPI packages activated on initialization; the malware also gathered Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostname, username, and API-usage metadata, and used basic anti-analysis checks.

    Show sources