Application security firm Socket has discovered and disclosed 17 malicious packages — 13 on npm and 4 on PyPI — impersonating legitimate payment processing SDKs for Paysafe, Skrill, and Neteller. The packages stole AWS authentication keys, GitHub personal access tokens, npm tokens, Paysafe API keys, and developer environment metadata from any developer who installed them, while returning fake success responses designed to prevent functional testing from revealing the compromise.
How 13 npm Packages and 4 PyPI Packages Impersonated Paysafe, Skrill, and Neteller SDKs
The 17 packages used names drawn directly from the three targeted payment platforms — including paysafe-checkout, skrill-payments, neteller, and related naming variants — to position themselves as the natural search result for a developer looking to integrate those payment APIs. Developers searching npm or PyPI for Paysafe or Skrill SDKs encountered package names that matched their search intent and installed them as routine dependencies.
The packages appeared on both major registries, covering the two most commonly used package ecosystems across backend JavaScript and Python development environments — the languages most frequently used for payment API integration work.
The Fake Success Response Technique That Prevented Functional Testing From Detecting Credential Theft
The most technically significant aspect of Socket’s discovery was the evasion mechanism the malicious packages deployed. Rather than failing silently or producing errors that a developer would investigate, the packages returned fake success responses when developers called their transaction or authentication functions during integration testing. A developer who installed one of the packages, wrote integration code, and ran a test transaction received an apparent success signal from the package — while the credential exfiltration executed silently in the background during or after installation.
This design means that a developer could proceed through the full integration workflow — installing the package, writing payment code, running tests, receiving success responses — without any indication that the environment had been compromised. Standard integration testing, which confirms that a dependency returns the expected response format for a given input, cannot detect an exfiltration payload when the package is designed to pass those tests.
The Full Range of Credentials Socket Found the Packages Harvesting From Developer Environments
Socket’s analysis identified the following credentials as targets: Paysafe API keys, AWS authentication keys, GitHub personal access tokens, npm authentication tokens, hostname and username identifying the developer’s machine, and API usage metadata exposing the scope of the payment integration. The combination of AWS authentication keys and payment processor API credentials represents two independent classes of high-value access: cloud infrastructure access through AWS, and direct payment rail access through Paysafe, Skrill, or Neteller production environments.
Why Payment SDK Developer Environments Are High-Value Credential Theft Targets
The packages specifically targeted developers integrating payment processing SDKs rather than general-purpose software libraries. This targeting is deliberate: a developer environment integrating Paysafe, Skrill, or Neteller typically holds production API credentials that connect directly to live payment infrastructure. Organizations deploying these integrations span e-commerce, online gaming, travel booking, fintech, cryptocurrency platforms, and online betting — developer environments in these sectors handle financial transaction flows on behalf of their users.
AWS credentials present in a payment integration environment are likely associated with the production infrastructure that hosts the payment service itself. GitHub personal access tokens present in the same environment provide access to the code repository containing the payment integration code, which may itself contain additional credentials or configuration details. The attacker targeting these environments collected a cluster of credentials that together could provide access to both the financial infrastructure and the codebase that operates it.
What Developers Who Installed Any of the 17 Packages Must Do
Socket’s disclosure and the subsequent removal of the packages from npm and PyPI ends their availability for new installation. Developers who installed any of the 17 identified packages before removal should treat all credentials present in the affected environment as compromised at the time of installation, regardless of when they were last used. The exfiltration occurs at installation, not at transaction execution — waiting to see whether the credentials are misused before rotating them leaves a window of ongoing exposure.
The Specific Credential Types Requiring Immediate Rotation After Exposure to These Packages
Any developer who installed one of the 17 packages should immediately rotate: all Paysafe, Skrill, and Neteller API keys that were accessible in the environment; all AWS authentication keys present in the environment at installation time; GitHub personal access tokens present during the installation; and npm authentication tokens used from the same machine. Hostname and username metadata collected by the packages does not require rotation but indicates the developer’s machine was logged as a compromised environment in the attacker’s collection infrastructure.