Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Malware Targets Paysafe, Skrill, Neteller Users

Malware Targets Paysafe, Skrill, Neteller Users

Posted on July 10, 2026 By CWS

Security experts have identified a sophisticated malware operation targeting developers through counterfeit packages that pose as official tools for Paysafe, Skrill, and Neteller. These fraudulent packages were designed to extract API keys and other sensitive information from developer environments, potentially exposing financial systems to significant risk.

Coordinated Attack on Payment Platforms

The attack involved the dissemination of seventeen malicious packages across popular repositories like npm and PyPI. These packages were cleverly crafted to resemble legitimate software development kits, complete with authentic-looking function names and API structures similar to those of Paysafe, Skrill, and Neteller. Developers who inadvertently incorporated these packages into their payment applications risked having their credentials silently stolen.

According to researchers from Socket.dev, these packages were discovered almost immediately through automated scanning tools. Despite this, they remained available long enough to threaten developers. The attackers employed advanced techniques, including unique obfuscation keys for each file, complicating detection by conventional antivirus software.

Intricate Methods of Data Theft

The malicious npm packages, such as ‘paysafe-node,’ were programmed to export classes mimicking genuine payment clients, logging requests and capturing environment variables like PAYSAFE_API_KEY. Instead of communicating with real Paysafe servers, these packages returned false success messages while collecting detailed system data.

This mechanism allowed the malware to capture a wide range of credentials beyond Paysafe, including AWS secret keys and GitHub tokens. The stolen credentials were then sent to remote servers in JSON format, all while the fake SDKs appeared to function normally. The PyPI packages exhibited similar behavior, activating data theft almost immediately upon importation.

Evasion Techniques and Shared Infrastructure

To avoid detection, the malware checked for signs of sandbox or virtual machine environments before executing data exfiltration processes. This included evaluating CPU core counts and scanning for specific terms in hostnames and usernames. Additionally, the malware’s command and control servers were concealed behind multiple layers of encoding.

These servers utilized ngrok, a tunneling service that hides the true location of servers, and were linked to past cybercriminal activities. This suggests the infrastructure might be part of a larger toolkit used by organized cybercrime groups.

Recommendations for Developers

Security experts recommend that developers immediately rotate any compromised credentials and thoroughly audit their systems for any use of these malicious packages. Blocking these packages at the registry proxy level and reviewing build logs for suspicious outbound connections is advised to prevent further incidents.

By adopting these proactive defense measures, organizations can mitigate the risks posed by such malware campaigns and protect their financial and operational integrity.

Cyber Security News Tags:API keys, credential theft, Cybercrime, Cybersecurity, fake packages, hacker tactics, Malware, Neteller, NPM, Paysafe, PyPI, Skrill, Socket.dev, Software Security

Post navigation

Previous Post: Critical HP Linux Printing Software Flaw Threatens Security
Next Post: AI Vulnerability: ‘HalluSquatting’ Exploits Botnets

Related Posts

Critical Flaw Found in Fortinet FortiSandbox, Urgent Patch Required Critical Flaw Found in Fortinet FortiSandbox, Urgent Patch Required Cyber Security News
New Text Message Based Phishing Attack from China Targeting Users Around the Globe New Text Message Based Phishing Attack from China Targeting Users Around the Globe Cyber Security News
Google’s AI Tool Big Sleep Uncovered Critical SQLite 0-Day Vulnerability and Blocks Active Exploitation Google’s AI Tool Big Sleep Uncovered Critical SQLite 0-Day Vulnerability and Blocks Active Exploitation Cyber Security News
How CISOs Leverage Threat Intelligence to Prevent Breaches How CISOs Leverage Threat Intelligence to Prevent Breaches Cyber Security News
Interlock Ransomware With Double Extortion Tactics Attacking Windows and Linux Systems Interlock Ransomware With Double Extortion Tactics Attacking Windows and Linux Systems Cyber Security News
MacOS Users Targeted by Infiniti Stealer Malware MacOS Users Targeted by Infiniti Stealer Malware Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Reviews Cybersecurity Incident from AWS Credential Leak
  • Dell BIOS Vulnerability Enables Quick Password Retrieval
  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Reviews Cybersecurity Incident from AWS Credential Leak
  • Dell BIOS Vulnerability Enables Quick Password Retrieval
  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark