Fake payment SDKs are a clean example of why software supply-chain security is no longer just a developer problem. Socket reported a coordinated campaign involving 17 malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller libraries. The packages were designed to look useful enough for payment developers to import, but their real purpose was to steal secrets from developer workstations and CI environments.
For SMBs, SaaS teams, ecommerce operators, and government contractors, the practical risk is straightforward: a single dependency typo or unreviewed package can expose API keys, cloud credentials, GitHub tokens, npm tokens, and other environment variables that unlock production systems.
What happened
According to Socket’s analysis, the campaign used packages that imitated legitimate payment SDKs across both npm and PyPI. The packages exposed expected-looking client functions and returned fake success responses, creating the illusion that an integration was working while avoiding real communication with the payment provider.
The malicious behavior focused on credential discovery and exfiltration. In the npm packages, theft was tied to use of a Paysafe API key. In the PyPI packages, initialization alone could trigger the malicious routine. BleepingComputer also reported that the stolen data could include Paysafe API keys, AWS keys, GitHub tokens, npm tokens, host details, usernames, and API usage metadata.
Why it matters
Payment integrations often sit close to sensitive workflows: checkout systems, customer accounts, fraud checks, KYC logic, finance operations, and internal admin tooling. That makes fake SDKs especially attractive to attackers. Even if the payment integration itself is still in development, the developer’s environment may hold broader access than the app being built.
The bigger lesson is that attackers are not only hunting production servers. They are hunting the build path: package managers, local dev machines, CI runners, registry tokens, cloud keys, and automation secrets. Those systems often have enough access to push code, publish packages, create infrastructure, or reach customer data.
Defensive takeaways
- Search immediately for the package names. Review package-lock, npm-shrinkwrap, yarn.lock, pnpm-lock, requirements files, Poetry/Pipenv metadata, CI logs, and artifact manifests for the affected Paysafe, Skrill, and Neteller lookalike packages.
- Rotate exposed secrets if installed or executed. Treat any developer workstation or CI runner that imported these packages as potentially compromised. Rotate payment API keys, AWS keys, GitHub tokens, npm tokens, and any other environment variables matching secret-like names.
- Block known-bad names at the registry proxy. Use npm/PyPI proxy controls, dependency firewall rules, or package allowlists to prevent reinstallation and catch copycat packages.
- Reduce CI secret blast radius. CI jobs should receive only the specific secrets needed for that workflow. Avoid broad, long-lived tokens in default runner environments.
- Monitor package installation and unusual outbound traffic. Alert on new dependencies in payment-related repos and outbound connections from build systems to unexpected tunneling, cloud, or newly registered domains.
- Prefer verified SDK sources. Link official SDK names and install commands in internal engineering docs so developers are not relying on search results or memory during implementation.
Bulwark Black assessment
This campaign is not sophisticated because of exotic malware. It is dangerous because it abuses normal developer behavior. The packages looked like business tooling, used familiar payment-brand names, and targeted secrets that many organizations still leave exposed in local shells or CI variables.
For small teams and contractors, the right response is not to ban open source. The right response is dependency discipline: verified package sources, lockfile review, registry controls, short-lived credentials, scoped CI secrets, and fast secret rotation when something suspicious lands in the build chain.
Original research: Socket — Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
