Bottom line: Attackers planted manipulated SDKs for payment service providers in public package repositories to steal credentials.
Malicious packages in the package repositories NPM and PyPI impersonated official software libraries for Paysafe, Skrill and Neteller and distributed credential-stealing malware to developers and users.
Cybercriminals uploaded fake Software Development Kits for Paysafe, Skrill and Neteller to the popular package managers NPM (Node Package Manager) and PyPI (Python Package Index). The malicious packages were visually barely distinguishable from the genuine libraries, thereby deceiving developers who integrated them into their projects.
The malware-infected modules function as credential stealers: they extracted sensitive access credentials from systems and applications on which they were executed. This is particularly critical for development environments and production servers, as API keys, database credentials and other authentication means can be harvested from there.
For CTOs, this represents a significant supply-chain risk: public package repositories are central dependency sources whose integrity is often questioned too little. It is recommended to continuously monitor dependencies, use version control and employ Software Composition Analysis tools to detect suspicious or unverified packages early. Packages with similar names to established libraries (typosquatting) in particular should be checked before integration.
Source: www.bleepingcomputer.com · Published July 8, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.