Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
Summary
Hide ▲
Show ▼
The 17 malicious npm and PyPI packages targeted Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, then send the data to an Ngrok endpoint. The package set sits in a software supply-chain path that can reach developers who install apparently legitimate payment tooling. The activity increases the risk of credential theft and downstream compromise in payment-adjacent development environments.
Related Happenings
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Timeline
-
09.07.2026 18:09 2 articles · 6h ago
Malicious npm and PyPI packages typosquat Paysafe, Skrill, and Neteller SDKs
Initial DisclosureSocket identified 17 malicious npm and PyPI packages that typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, then exfiltrate the data to an Ngrok endpoint; the packages also avoid machines with fewer than two CPU cores and look for sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox markers.
Show sources
- ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories — thehackernews.com — 09.07.2026 18:09
- ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories — thehackernews.com — 09.07.2026 18:09