Socket’s malware scanners flagged a cluster of 17 malicious npm and PyPI packages published nearly simultaneously on July 7, 2026, all impersonating SDKs for Paysafe, Skrill, and Neteller, three payment and e-money brands headquartered and regulated in the UK and widely used by European merchants and platforms. Each npm package was flagged as malware within six minutes of publication, but that speed of detection does not undo the exposure for anyone who installed a copy in the interim, and typosquatting campaigns like this one are rarely a single occurrence.
The trick is that the fake SDK actually looks like it works
What makes this campaign more dangerous than a typical typosquat is the attention paid to plausibility. The fake npm packages expose the same API surface a real Paysafe SDK would, and when called, they return a convincing fake success response rather than an error that might tip off a developer during testing. Underneath that fake response, a hidden routine collects the developer’s hostname, username, working directory, and any environment variables containing patterns like KEY, SECRET, TOKEN, PASS, or AUTH, then exfiltrates the haul to a command-and-control server hosted on AWS infrastructure. The npm variants only trigger data theft when a Paysafe API key is present, a deliberate choice that narrows detection during casual testing. The PyPI packages skip that check entirely and start harvesting on initialisation.
Why the blast radius extends well past payment credentials
Because the exfiltration logic scrapes environment variables rather than a specific credential format, the actual haul is not limited to Paysafe API keys. Reported exfiltrated data includes AWS secret keys, GitHub tokens, and npm publishing tokens, meaning a single bad npm install in a developer’s local environment or, worse, in a CI/CD pipeline, can hand an attacker cloud infrastructure access and the ability to publish poisoned packages under a legitimate maintainer’s identity. For a European fintech, marketplace, or SaaS business integrating a payment SDK under deadline pressure, that is the difference between a contained annoyance and a genuine supply chain incident touching production infrastructure.
What to check before your next npm install
Verify the publisher and package provenance before installing any payment or financial SDK, rather than trusting a name that matches the brand you expect. Confirm you are pulling packages from the vendor’s documented, official package name and, where available, use lockfile integrity checks and a software composition analysis tool that flags newly published packages with suspicious behaviour. In CI/CD specifically, scope tokens tightly and treat any pipeline environment variable containing a credential as something that should never be readable by an arbitrary installed dependency. This campaign was caught fast, but the next one impersonating a different fintech brand will not announce itself.
If you want help auditing your dependency supply chain, locking down what your CI/CD environment exposes to installed packages, or setting up automated scanning for exactly this kind of typosquatting campaign, contact Excello Digital. We help development teams close the gap between “it installed cleanly” and “it was actually safe to install.”
