Skip to content

Malicious Payment SDKs on NPM and PyPI Steal Credentials from Developers

A recent campaign has been identified where malicious packages on the Node Package Manager (npm) and Python Package Index (PyPI) have delivered stealer malware to developers and users of Paysafe, Skrill, and Neteller payment applications. The threat actor published at least 17 fake packages simultaneously, each tasked with exfiltrating credentials and access tokens to a command-and-control server hosted on Amazon Web Services (AWS).

The affected platforms are popular among e-commerce sites, online marketplaces, gaming platforms, travel businesses, financial services or software-as-a-service (SaaS) providers. Skrill and Neteller are digital wallets and money transfer services used in online betting, cryptocurrency exchanges, and Forex trading platforms.

Software developers working on these platforms integrate Paysafe’s SDKs into apps and websites to implement a secure payments and funds management system. The researchers say that the 13 npm packages published four malicious versions, from 1.0.0 to 1.0.3, whereas the PyPI packages published only one malicious version, 1.0.0.

All 17 packages pretend to be legitimate payment SDKs, even exposing the expected APIs, but instead return fake success responses rather than communicate with Paysafe’s backend services. The real purpose is credential theft, as the embedded malicious code searches compromised environments for secrets such as tokens, passwords, and API keys.

According to Socket, the exfiltrated data includes Paysafe API keys, AWS keys, GitHub tokens, npm tokens, hostname, username, and metadata about API usage. The data theft module in the npm packages attempts exfiltration only if a Paysafe API key is present and activates when the fake SDK is called.

The PyPI packages automatically activate the data theft routine upon initialization and do not require a Paysafe API key to be present at all. Socket’s analysis of the malware reveals that it includes some rather basic anti-analysis features, stopping execution if it detects fewer than 2 CPU cores or if the hostname or username contains cues indicating a virtualized environment.

It is unclear who is behind this campaign, but Socket’s report highlights some attributes suggesting that the threat actor is sufficiently technical and may return in a more organized way. The researchers warn that the attacker’s ability to pivot between ecosystems may make it more difficult to defend if there is only one ecosystem of visibility.

If any of the listed packages were installed, developers are recommended to immediately ‘rotate all secrets on any machine that imported or executed this package.’ The researchers also advise searching dependency trees for the package names used in the campaign and deny any requests for them at the registry proxy level.

It is also recommended to look in the logs of Continuous Integration (CI) systems for PAYSAFE_API_KEY in combination with any of the listed package names.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *