Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The 17 malicious npm and PyPI packages targeted Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, then send the data to an Ngrok endpoint. The package set sits in a software supply-chain path that can reach developers who install apparently legitimate payment tooling. The activity increases the risk of credential theft and downstream compromise in payment-adjacent development environments.

Related Happenings

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 09.07.2026 18:09 2 articles · 6h ago

    Malicious npm and PyPI packages typosquat Paysafe, Skrill, and Neteller SDKs

    Initial Disclosure

    Socket identified 17 malicious npm and PyPI packages that typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, then exfiltrate the data to an Ngrok endpoint; the packages also avoid machines with fewer than two CPU cores and look for sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox markers.

    Show sources