17 npm, PyPI Packages Found Typosquatting Payment SDKs PaySafe, Skrill, and Neteller
- Campaign Uncovered: Socket detected 17 malicious npm and PyPI packages typosquatting PaySafe, Skrill, and Neteller SDKs.
- Rapid Detection: Each npm package shipped versions 1.0.0–1.0.3 and was flagged as malware within 6 minutes.
- Data Theft: The packages harvest API keys, tokens, and secrets, exfiltrating them to AWS infrastructure.
Socket researcher Joseph Edwards uncovered a coordinated typosquatting campaign on July 7, 2026, involving 17 malicious packages published across npm and PyPI. The packages target developers of the PaySafe, Skrill, and Neteller payment Software Development Kits (SDKs), ultimately stealing credentials and tokens, Socket said.
The near-simultaneous release across ecosystems shows an attacker able to pivot between platforms, complicating detection for defenders who monitor only one registry.
Coordinated npm and PyPI Attack
The campaign spanned two major registries, with 13 malicious packages on npm and 4 on PyPI. Each npm package published four versions, 1.0.0 through 1.0.3, and Socket's AI scanner detected every one as malware within 6 minutes of publication:
- npm/paysafe-checkout
- npm/paysafe-vault
- npm/neteller
- npm/skrill-payments
- npm/paysafe-js
- npm/paysafe-api
- npm/paysafe-node
- npm/paysafe-cards
- npm/paysafe-fraud
- npm/paysafe-kyc
- npm/skrill
- npm/skrill-sdk
- npm/paysafe-payments
The affected PyPI packages each published 1 malicious version (1.0.0) up to now, according to the July 7 report:
- pypi/paysafe-kyc
- pypi/paysafe-payments
- pypi/paysafe-sdk
- pypi/paysafe-api
Fake SDK Facade and Sandbox Evasion
The packages mimic legitimate payment SDKs to appear trustworthy. In one example, a fake PaySafe REST client successfully without ever contacting real PaySafe endpoints.
Before exfiltrating anything, the malware checks for analysis environments and skips exfiltration when it detects fewer than two CPU cores or hostnames and usernames containing terms like sandbox, analyzer, cuckoo, virus, malware, vmware, and vbox.
C2 Encoding and Credential Theft
The command-and-control (C2) hostname is hidden behind three decoding steps. The malware then harvests environment variables matching KEY, SECRET, TOKEN, PASS, AUTH, or API and sends them to AWS infrastructure.
The resolved ngrok IP previously served as C2 for infostealers like NjRAT, suggesting shared or borrowed criminal infrastructure.
Socket recommends the following actions:
- Rotate all secrets on any machine that imported or executed this package, especially env vars matching the harvest regex.
- Search dependency trees for all 13 campaign package names; block at registry proxy level.
- Hunt outbound HTTPS to .ngrok-free.dev from build/CI hosts (unusual for payment SDKs and legitimate applications).
- Audit CI logs for PAYSAFE_API_KEY usage combined with any of the listed package names.
Last week, fake Perplexity AI Chromium Extension was seen hijacking browser search via a typosquatted domain, and the FBI warned malicious actors utilize FIFA-related typo squatting and alternate top-level domains to harvest sensitive data last month.






