Security experts have identified a sophisticated malware operation targeting developers through counterfeit packages that pose as official tools for Paysafe, Skrill, and Neteller. These fraudulent packages were designed to extract API keys and other sensitive information from developer environments, potentially exposing financial systems to significant risk.
Coordinated Attack on Payment Platforms
The attack involved the dissemination of seventeen malicious packages across popular repositories like npm and PyPI. These packages were cleverly crafted to resemble legitimate software development kits, complete with authentic-looking function names and API structures similar to those of Paysafe, Skrill, and Neteller. Developers who inadvertently incorporated these packages into their payment applications risked having their credentials silently stolen.
According to researchers from Socket.dev, these packages were discovered almost immediately through automated scanning tools. Despite this, they remained available long enough to threaten developers. The attackers employed advanced techniques, including unique obfuscation keys for each file, complicating detection by conventional antivirus software.
Intricate Methods of Data Theft
The malicious npm packages, such as ‘paysafe-node,’ were programmed to export classes mimicking genuine payment clients, logging requests and capturing environment variables like PAYSAFE_API_KEY. Instead of communicating with real Paysafe servers, these packages returned false success messages while collecting detailed system data.
This mechanism allowed the malware to capture a wide range of credentials beyond Paysafe, including AWS secret keys and GitHub tokens. The stolen credentials were then sent to remote servers in JSON format, all while the fake SDKs appeared to function normally. The PyPI packages exhibited similar behavior, activating data theft almost immediately upon importation.
Evasion Techniques and Shared Infrastructure
To avoid detection, the malware checked for signs of sandbox or virtual machine environments before executing data exfiltration processes. This included evaluating CPU core counts and scanning for specific terms in hostnames and usernames. Additionally, the malware’s command and control servers were concealed behind multiple layers of encoding.
These servers utilized ngrok, a tunneling service that hides the true location of servers, and were linked to past cybercriminal activities. This suggests the infrastructure might be part of a larger toolkit used by organized cybercrime groups.
Recommendations for Developers
Security experts recommend that developers immediately rotate any compromised credentials and thoroughly audit their systems for any use of these malicious packages. Blocking these packages at the registry proxy level and reviewing build logs for suspicious outbound connections is advised to prevent further incidents.
By adopting these proactive defense measures, organizations can mitigate the risks posed by such malware campaigns and protect their financial and operational integrity.
