Socket detected 17 malicious npm and PyPI packages published on July 7, 2026 that impersonate Paysafe, Skrill, and Neteller SDKs to steal credentials and tokens from developers. The stolen data was exfiltrated to AWS-backed infrastructure and a disguised C2 host at caliber-spinner-finishing.ngrok-free.dev, with tactics including sandbox evasion and obfuscated host decoding. #Paysafe #Skrill #Neteller #ngrok #AWS
Keypoints
- Socket’s AI scanner identified a cluster of 17 malicious packages across npm and PyPI published nearly simultaneously.
- The packages masquerade as SDKs for PaySafe, Skrill, and Neteller, targeting developers and users of those payment platforms.
- Malicious npm packages published four versions each, while the PyPI packages each published one detected malicious version.
- The npm malware only exfiltrates data when a Paysafe API key is present, while the PyPI variants activate more broadly.
- The payload steals environment variables and host information such as API keys, secrets, tokens, username, hostname, and current working directory.
- The malware includes sandbox checks and hidden C2 decoding logic to avoid analysis and conceal the command-and-control endpoint.
- Recommendations include rotating exposed secrets, auditing CI logs, blocking the package names, and monitoring outbound HTTPS to .ngrok-free.dev.
MITRE Techniques
- [T1082] System Information Discovery – Collects victim fingerprint data including hostname, username, cwd, and time before exfiltration (‘hostname, username, cwd (current working directory), time’).
- [T1057] Process Discovery – Checks system resources by inspecting CPU count to detect sandboxes (‘<2 CPU cores (common in sandboxes)’).
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – Avoids execution when hostname or username contains sandbox-related strings (‘sandbox, analyzer, cuckoo, virus, malware, vmware, vbox’).
- [T1027] Obfuscated Files or Information – Hides the C2 hostname using XOR, arithmetic shifting, and reversing (‘The C2 domain is hidden behind three decode steps’).
- [T1016] System Network Configuration Discovery – Uses environment and host context, including hostname and username, as part of victim profiling (‘Victim fingerprint – hostname, username, cwd’).
- [T1056] Input Capture – Steals sensitive environment-held credentials such as API keys, tokens, and secrets (‘PAYSAFE_API_KEY, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN’).
- [T1041] Exfiltration Over C2 Channel – Sends stolen data over HTTPS to the command-and-control server (‘https://caliber-spinner-finishing[.]ngrok-free.dev:443/’).
- [T1105] Ingress Tool Transfer – The malicious packages themselves are distributed through npm and PyPI to deliver the payload (’17 packages, published nearly simultaneously’).
- [T1552.001] Unsecured Credentials: Credentials in Environment Variables – Harvests secrets from environment variables matching KEY, SECRET, TOKEN, PASS, AUTH, or API (‘all environment variables matching KEY, SECRET, TOKEN, PASS, AUTH, or API’).
Indicators of Compromise
- [Package names] Malicious npm/PyPI packages impersonating payment SDKs – npm/paysafe-checkout, npm/skrill-sdk, pypi/paysafe-api, and 10 more packages
- [File names] Suspicious package contents – index.js, __init__.py
- [Domain] Command-and-control endpoint – caliber-spinner-finishing.ngrok-free.dev, ngrok-free.dev
- [URL] Exfiltration target over HTTPS – https://caliber-spinner-finishing.ngrok-free.dev:443/
- [Environment variables] Targeted secret-harvesting variables – PAYSAFE_API_KEY, AWS_SECRET_ACCESS_KEY, and other API/SECRET/TOKEN/PASS/AUTH/KEY variables
- [Function/class names] Malicious behavior and fake SDK facade – PaysafeClient, exfiltrate, isSandbox
- [Encoded strings] Obfuscation material used for C2 decoding – SGf6lmbr7GHUg99Z6R2U3g==, iuCM41mdmqNX9OElK51WXTAYxe4ZkZWjUPmgI54jVl0+GIXspGou5epBXC+aZ+msPA==
Read more: https://socket.dev/blog/npm-pypi-campaign-typosquats-popular-secure-payment-apps