Home / The Long Read / Research
Long Read

Fake Paysafe, Skrill and Neteller SDKs on npm and PyPI turned payment developers into a supply-chain target

Researchers found 17 fake Paysafe, Skrill and Neteller packages on npm and PyPI that steal API keys and CI tokens from developer and build machines. Nothing was breached at the payment firms. The exposure came through a poisoned dependency, which shows why the package registry is a supplier.

Fake Paysafe, Skrill and Neteller SDKs on npm and PyPI turned payment developers into a supply-chain target
TL;DR

Researchers found 17 fake Paysafe, Skrill and Neteller packages on npm and PyPI that steal API keys and CI tokens from developer and build machines. Nothing was breached at the payment firms. The exposure came through a poisoned dependency, which shows why the package registry is a supplier.

Researchers found 17 malicious software packages that impersonate the Paysafe, Skrill and Neteller payment kits, published to two open-source registries (npm for JavaScript and PyPI for Python) on 7 July 2026. Any developer who installed one and ran it risked handing over the secrets on their machine or build server: Paysafe API keys, Amazon Web Services (AWS) keys, and GitHub and npm access tokens. Nothing was breached at Paysafe, Skrill or Neteller. The exposure came through a poisoned dependency, a component pulled into other people's code. The lesson: your suppliers include every open-source package your build trusts, and one fake can drain the credentials that reach everything downstream.

Fake payment SDKs (July 2026): the supply route was the package registry No breach at Paysafe, Skrill or Neteller. A poisoned dependency harvested the secrets that reach everything downstream. Threat actor publishes 17 fake SDKs (13 npm, 4 PyPI) identity not confirmed npm & PyPI registries typosquat names: paysafe-node, skrill-sdk Developer machine & CI build server installs poisoned dependency fake SDK returns "success", scans environment for secrets Secrets sent to attacker C2 Paysafe API key AWS secret key GitHub token, npm token plus hostname and username Downstream reach of the stolen secrets: cloud accounts, source repositories, the packages the team itself publishes, and the customers built on top of them Third-party risk, in one line: The package registry is a supplier. One look-alike dependency can drain the credentials that reach every system downstream. Sources: Socket (7 July 2026), BleepingComputer (8 July 2026). Draft diagram for Breach Wire, Supplier Shield.

What happened

The application security firm Socket reported the campaign on 7 July 2026, and BleepingComputer covered it on 8 July 2026. Socket's scanner found 17 packages published almost simultaneously, 13 on npm and 4 on PyPI. Each carried a name that mimics a real payment SDK (software development kit, the prebuilt code developers use to add a feature), such as paysafe-node, skrill-sdk and paysafe-payments. The packages returned fake success responses so an integration looked normal, while searching the environment for any variable whose name contained KEY, SECRET, TOKEN, PASS, AUTH or API. Matches were sent to an attacker-controlled command-and-control server (the machine that collects stolen data). Socket says the harvested secrets would in practice include the Paysafe API key, the AWS secret key, and GitHub and npm tokens. The npm code ran only when a Paysafe key was present; the PyPI code ran on install regardless. The malware also skipped machines that looked like security sandboxes. npm flagged the packages as malicious within six minutes. The identity of the actor is not confirmed, and Socket believes it is capable and may return.

Why it matters for third-party risk

This is the dependency-as-supplier pattern. A payment integration is assembled from third-party code, and the registry is the supply route. When a developer installs a look-alike package, the exposure does not stop at one laptop. Stolen AWS keys, GitHub tokens and npm tokens reach cloud accounts, source repositories, and the packages a team itself publishes, so one poisoned dependency can extend into every system and customer downstream. Concentration makes it worse: thousands of teams pull from the same two registries, so a single believable typo-name can scatter across many victims at once.

What teams should take from it

Treat the package registry as a supplier and put a gate in front of it: pin exact versions, block install-time scripts, and verify a package name before it enters a build. Then assume any secret that ever sat in a build environment is reachable, so keep credentials short-lived and rotate them on a schedule, not only after an incident. To see how continuous vendor and dependency monitoring works, Acuna's supplier-risk resource sets out the practice.

FAQ

Were Paysafe, Skrill or Neteller breached?

No. The packages only impersonated their SDKs. The companies' own systems were not involved, according to Socket's report.

What was actually stolen?

Environment secrets on any machine that installed and ran a package: Paysafe API keys, AWS keys, and GitHub and npm tokens, plus basic host details such as hostname and username.

What should a team do if it installed one?

Rotate every secret on the affected machine or build server, search dependency trees for the 17 package names, block them at the registry proxy, and check continuous integration (CI) logs for those names alongside PAYSAFE_API_KEY.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

A ransomware group has claimed a breach of Hemmersbach, a German IT services provider that works inside its clients' technology estates. Researchers say the exposed data includes credentials to the firm's own identity systems. Hemmersbach has not confirmed the attack and the scope is unverified. For third-party risk teams, the lesson is about vendor access: a supplier's stolen login can become a route toward the clients it serves.

Read article
Accenture breach: source code and cloud keys claimed stolen from a supplier many firms rely on

Accenture breach: source code and cloud keys claimed stolen from a supplier many firms rely on

Accenture confirmed a security incident on 8 July 2026 after a threat actor listed about 35 GB of source code and cloud access keys for sale. The company called it isolated and remediated, but did not confirm scope or client-data impact. For third-party risk teams, the exposure is the client pipelines and cloud tenants a services provider touches.

Read article
KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

Read article
Fake Paysafe, Skrill SDKs on npm and PyPI steal secrets | Breach Wire | Supplier Shield