Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets

Confirmed
Discovered Jul 7, 2026

Seventeen coordinated payment-brand typosquats across npm and PyPI impersonated SDKs and exfiltrated environment secrets to an ngrok host.

56
Affected Packages
4
Observables
1
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
paysafe-checkout, paysafe-checkout, paysafe-checkout, paysafe-checkout
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
caliber-spinner-finishing[.]ngrok-free[.]dev
index[.]js
__init__[.]py
caliber-spinner-finishing[.]ngrok-free[.]dev

Analysis

Executive Summary

Seventeen coordinated payment-brand typosquats across npm and PyPI impersonated SDKs and exfiltrated environment secrets to an ngrok host. The cited researchers identify the execution trigger as npm SDK method use when an API key is configured; PyPI package import and the observed behavior as: fingerprints hosts and exfiltrates environment variables whose names contain key, secret, token, pass, auth, or api. [1]

Responders should treat a matching malicious version as exposure and seek execution or egress evidence before asserting data theft. Secrets at risk include payment API keys, cloud secrets, source-control tokens, registry tokens, passwords, and CI credentials. No public victim count is treated as verified. [1]

Key Facts

Analysis table
FactValue
Affected artifactspaysafe-checkout, paysafe-vault, neteller, skrill-payments, paysafe-js, paysafe-api, paysafe-node, paysafe-cards, paysafe-fraud, paysafe-kyc, skrill, skrill-sdk, paysafe-payments, pypi:paysafe-kyc, pypi:paysafe-payments, pypi:paysafe-sdk, pypi:paysafe-api
Ecosystemnpm,pypi
Malicious versionspaysafe-checkout@1.0.0, paysafe-checkout@1.0.1, paysafe-checkout@1.0.2, paysafe-checkout@1.0.3, paysafe-vault@1.0.0, paysafe-vault@1.0.1, paysafe-vault@1.0.2, paysafe-vault@1.0.3, neteller@1.0.0, neteller@1.0.1, neteller@1.0.2, neteller@1.0.3, skrill-payments@1.0.0, skrill-payments@1.0.1, skrill-payments@1.0.2, skrill-payments@1.0.3, paysafe-js@1.0.0, paysafe-js@1.0.1, paysafe-js@1.0.2, paysafe-js@1.0.3, paysafe-api@1.0.0, paysafe-api@1.0.1, paysafe-api@1.0.2, paysafe-api@1.0.3, paysafe-node@1.0.0, paysafe-node@1.0.1, paysafe-node@1.0.2, paysafe-node@1.0.3, paysafe-cards@1.0.0, paysafe-cards@1.0.1, paysafe-cards@1.0.2, paysafe-cards@1.0.3, paysafe-fraud@1.0.0, paysafe-fraud@1.0.1, paysafe-fraud@1.0.2, paysafe-fraud@1.0.3, paysafe-kyc@1.0.0, paysafe-kyc@1.0.1, paysafe-kyc@1.0.2, paysafe-kyc@1.0.3, skrill@1.0.0, skrill@1.0.1, skrill@1.0.2, skrill@1.0.3, skrill-sdk@1.0.0, skrill-sdk@1.0.1, skrill-sdk@1.0.2, skrill-sdk@1.0.3, paysafe-payments@1.0.0, paysafe-payments@1.0.1, paysafe-payments@1.0.2, paysafe-payments@1.0.3, pypi:paysafe-kyc@1.0.0, pypi:paysafe-payments@1.0.0, pypi:paysafe-sdk@1.0.0, pypi:paysafe-api@1.0.0
Disclosure2026-07-07
Verified recovery directionremove campaign packages and replace only with vendor-verified SDKs

Evidence Assessment

Analysis table
AssessmentClaimEvidence
ConfirmedListed package versions carried or transitively resolved malicious code.Static package analysis and version comparison by the cited researchers. [1]
ConfirmedTrigger: npm SDK method use when an API key is configured; PyPI package import.Source-level or compiled-artifact analysis. [1]
Confirmedfingerprints hosts and exfiltrates environment variables whose names contain key, secret, token, pass, auth, or api.Decompiled/static analysis and reported telemetry where available. [1]
UnclearNumber of affected organizations or successful thefts.Neither source establishes a verified victim count.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceActionClosure gate
ExposureMalicious selector in a lockfile, cache, or inventoryPreserve dependency graph and cache metadataIsolate affected workload and determine whether trigger ranEvery matching host classified
Likely executionInstall/load logs or files align with the triggerProcess, file, CI, application, and egress timelineRebuild and rotate reachable secretsNegative rescan and completed rotations
Confirmed compromiseIOC egress, payload hash, or theft/abuse evidenceProxy/EDR evidence with UTC timestampsIncident response and downstream abuse reviewAbuse review, recovery monitoring, and evidence sign-off

Minimum Evidence To Collect

  • Dependency evidence: preserve lockfiles, SBOMs, package-manager caches, and CI restore/install logs; they identify exact versions and resolve exposure classification.
  • Execution evidence: collect EDR process/file events and application or assembly-load logs around dependency use; they determine whether npm SDK method use when an API key is configured; PyPI package import occurred.
  • Network evidence: retain DNS, proxy, firewall, and TLS metadata for caliber-spinner-finishing.ngrok-free.dev; a matching outbound event materially raises confidence.
  • Identity evidence: export audit logs for identities holding payment API keys, cloud secrets, source-control tokens, registry tokens, passwords, and CI credentials; these decide credential rotation scope and whether downstream abuse occurred.

Timeline

  • 2026-07-07 (UTC; exact time varies by artifact): malicious publication/discovery activity documented by the cited researchers. [1]
  • 2026-07-07: public technical reporting and defensive guidance published. [1]
  • Current registry removal status: unknown after this source-only review; validate through metadata-only registry queries before publication.

What Happened

The incident abused trusted package distribution or a deceptive package identity to deliver code that looked compatible with expected developer workflows. It then used npm SDK method use when an API key is configured; PyPI package import to activate and fingerprints hosts and exfiltrates environment variables whose names contain key, secret, token, pass, auth, or api. [1]

Initial Access

The affected artifacts were distributed through npm,pypi package channels. This folder does not infer an actor identity beyond source-supported account or publishing-path facts. [1]

Execution Trigger

Npm sdk method use when an api key is configured; pypi package import. [1]

Payload Behavior

The observed payload fingerprints hosts and exfiltrates environment variables whose names contain key, secret, token, pass, auth, or api. [1]

Credential or Data Collection

The defensible exposure set is payment API keys, cloud secrets, source-control tokens, registry tokens, passwords, and CI credentials. Rotate only after preserving evidence and mapping which secrets were available to the affected process. [1]

Defense Evasion

The source reporting describes deceptive naming, silent failure, obfuscation, or trigger placement intended to reduce discovery. Do not generalize beyond the specific files and selectors in this packet. [1]

Exfiltration and Command and Control

Observed network selectors are caliber-spinner-finishing.ngrok-free.dev. Human-readable prose is defanged where shown; raw values remain in iocs.json. [1]

Affected Assets and Blast Radius

Analysis table
AssetExposure pathPriority
Developer workstationsdependency installed, imported, or loadedHigh
CI/build runnerspackage restore plus secrets in job contextCritical
Production applicationsruntime trigger or assembly useCritical
Downstream identitiessecrets reachable by affected processCritical

Indicators of Compromise

Analysis table
TypeValues
Package versionspaysafe-checkout@1.0.0, paysafe-checkout@1.0.1, paysafe-checkout@1.0.2, paysafe-checkout@1.0.3, paysafe-vault@1.0.0, paysafe-vault@1.0.1, paysafe-vault@1.0.2, paysafe-vault@1.0.3, neteller@1.0.0, neteller@1.0.1, neteller@1.0.2, neteller@1.0.3, skrill-payments@1.0.0, skrill-payments@1.0.1, skrill-payments@1.0.2, skrill-payments@1.0.3, paysafe-js@1.0.0, paysafe-js@1.0.1, paysafe-js@1.0.2, paysafe-js@1.0.3, paysafe-api@1.0.0, paysafe-api@1.0.1, paysafe-api@1.0.2, paysafe-api@1.0.3, paysafe-node@1.0.0, paysafe-node@1.0.1, paysafe-node@1.0.2, paysafe-node@1.0.3, paysafe-cards@1.0.0, paysafe-cards@1.0.1, paysafe-cards@1.0.2, paysafe-cards@1.0.3, paysafe-fraud@1.0.0, paysafe-fraud@1.0.1, paysafe-fraud@1.0.2, paysafe-fraud@1.0.3, paysafe-kyc@1.0.0, paysafe-kyc@1.0.1, paysafe-kyc@1.0.2, paysafe-kyc@1.0.3, skrill@1.0.0, skrill@1.0.1, skrill@1.0.2, skrill@1.0.3, skrill-sdk@1.0.0, skrill-sdk@1.0.1, skrill-sdk@1.0.2, skrill-sdk@1.0.3, paysafe-payments@1.0.0, paysafe-payments@1.0.1, paysafe-payments@1.0.2, paysafe-payments@1.0.3, pypi:paysafe-kyc@1.0.0, pypi:paysafe-payments@1.0.0, pypi:paysafe-sdk@1.0.0, pypi:paysafe-api@1.0.0
Filesindex.js, init.py
Domains (defanged)caliber-spinner-finishing[.]ngrok-free[.]dev
IPs (defanged)None published
SHA-256See source; no compact hash set included here

Detection and Hunting

Run scripts/hunt.py opens in a new tab against exported lockfiles, SBOMs, restore/install logs, proxy/DNS logs, or file inventories. It answers whether exact package versions, file selectors, hashes, domains, or IPs are present. A match is a triage lead; package-only matches may be false positives from documentation or cleanly quarantined caches. Escalate by preserving the matching record and correlating it with process and identity audit logs.

Downstream Abuse Audits

Review source-control, registry, cloud, payment, wallet, and CI identity logs only where the affected process could access those services. Search from the earliest package acquisition through credential rotation for new tokens, unusual sessions, publishing, transaction changes, secret reads, and deployment activity. The reason is specific: the payload targeted payment API keys, cloud secrets, source-control tokens, registry tokens, passwords, and CI credentials. [1]

Remediation and Recovery Gates

  1. Preserve lockfiles, caches, process/file telemetry, and egress evidence before cleanup.
  2. Stop package execution and isolate hosts with runtime or egress evidence.
  3. Remove the listed versions and invalidate internal caches.
  4. Rotate payment API keys, cloud secrets, source-control tokens, registry tokens, passwords, and CI credentials from a clean host, prioritizing secrets present during execution.
  5. Rebuild likely or confirmed hosts from verified images rather than trusting package removal alone.
  6. Apply the recovery direction: remove campaign packages and replace only with vendor-verified SDKs.
  7. Audit downstream identity and transaction activity from first exposure through rotation.
  8. Rescan lockfiles, caches, files, and egress exports with the tested hunter.
  9. Close only after every exposed host is classified, required rotations and abuse reviews are complete, and post-recovery monitoring is clean.

Open Questions

  • How many organizations actually executed the malicious code?
  • Is additional attacker infrastructure or campaign-linked packaging still active?
  • What is the current registry availability/deprecation status of every listed version?

Timeline

7 of 7 rows

Timeline
DateEventDescriptionSource
Jul 7, 2026First seenFirst seen recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket
Jul 7, 2026DiscoveryDiscovery recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket
Invalid DateMalicious publish timeMalicious publish time recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket
Invalid DateRemovalRemoval recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket
Invalid DatePatch or fixPatch or fix recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket
Jul 7, 2026Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secretsUnknownSocket
Jul 7, 2026DisclosureDisclosure recorded for Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets.Socket

Affected Software

56 of 56 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
paysafe-checkoutnpm1.0.0Malicious90%Socket
paysafe-checkoutnpm1.0.1Malicious90%Socket
paysafe-checkoutnpm1.0.2Malicious90%Socket
paysafe-checkoutnpm1.0.3Malicious90%Socket
paysafe-vaultnpm1.0.0Malicious90%Socket
paysafe-vaultnpm1.0.1Malicious90%Socket
paysafe-vaultnpm1.0.2Malicious90%Socket
paysafe-vaultnpm1.0.3Malicious90%Socket
netellernpm1.0.0Malicious90%Socket
netellernpm1.0.1Malicious90%Socket
netellernpm1.0.2Malicious90%Socket
netellernpm1.0.3Malicious90%Socket
skrill-paymentsnpm1.0.0Malicious90%Socket
skrill-paymentsnpm1.0.1Malicious90%Socket
skrill-paymentsnpm1.0.2Malicious90%Socket
skrill-paymentsnpm1.0.3Malicious90%Socket
paysafe-jsnpm1.0.0Malicious90%Socket
paysafe-jsnpm1.0.1Malicious90%Socket
paysafe-jsnpm1.0.2Malicious90%Socket
paysafe-jsnpm1.0.3Malicious90%Socket
paysafe-apinpm1.0.0Malicious90%Socket
paysafe-apinpm1.0.1Malicious90%Socket
paysafe-apinpm1.0.2Malicious90%Socket
paysafe-apinpm1.0.3Malicious90%Socket
paysafe-nodenpm1.0.0Malicious90%Socket
paysafe-nodenpm1.0.1Malicious90%Socket
paysafe-nodenpm1.0.2Malicious90%Socket
paysafe-nodenpm1.0.3Malicious90%Socket
paysafe-cardsnpm1.0.0Malicious90%Socket
paysafe-cardsnpm1.0.1Malicious90%Socket
paysafe-cardsnpm1.0.2Malicious90%Socket
paysafe-cardsnpm1.0.3Malicious90%Socket
paysafe-fraudnpm1.0.0Malicious90%Socket
paysafe-fraudnpm1.0.1Malicious90%Socket
paysafe-fraudnpm1.0.2Malicious90%Socket
paysafe-fraudnpm1.0.3Malicious90%Socket
paysafe-kycnpm1.0.0Malicious90%Socket
paysafe-kycnpm1.0.1Malicious90%Socket
paysafe-kycnpm1.0.2Malicious90%Socket
paysafe-kycnpm1.0.3Malicious90%Socket
skrillnpm1.0.0Malicious90%Socket
skrillnpm1.0.1Malicious90%Socket
skrillnpm1.0.2Malicious90%Socket
skrillnpm1.0.3Malicious90%Socket
skrill-sdknpm1.0.0Malicious90%Socket
skrill-sdknpm1.0.1Malicious90%Socket
skrill-sdknpm1.0.2Malicious90%Socket
skrill-sdknpm1.0.3Malicious90%Socket
paysafe-paymentsnpm1.0.0Malicious90%Socket
paysafe-paymentsnpm1.0.1Malicious90%Socket
paysafe-paymentsnpm1.0.2Malicious90%Socket
paysafe-paymentsnpm1.0.3Malicious90%Socket
pypi:paysafe-kycnpm1.0.0Malicious90%Socket
pypi:paysafe-paymentsnpm1.0.0Malicious90%Socket
pypi:paysafe-sdknpm1.0.0Malicious90%Socket
pypi:paysafe-apinpm1.0.0Malicious90%Socket

IOC Clipboard

4 IOCs
domaincaliber-spinner-finishing.ngrok-free.dev
file_pathindex.js
file_path__init__.py
network_patterncaliber-spinner-finishing.ngrok-free.dev

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets evidence scopePythonDo exported dependency, file, or network records contain incident-specific selectors?scripts/hunt.py opens in a new tabSocket

Hunt Manifest: Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets evidence scope

Title
Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets evidence scope
Question
Do exported dependency, file, or network records contain incident-specific selectors?
Telemetry Family
Python
Repository
scripts/hunt.py
Show tested hunting scriptscripts/hunt.py
scripts/hunt.py opens in a new tabPython
#!/usr/bin/env python3
"""Read-only IOC scanner for exported text/CSV/JSON evidence. Never installs packages."""
import argparse,json,re,sys
IOCS={'packages': ['paysafe-checkout', 'paysafe-vault', 'neteller', 'skrill-payments', 'paysafe-js', 'paysafe-api', 'paysafe-node', 'paysafe-cards', 'paysafe-fraud', 'paysafe-kyc', 'skrill', 'skrill-sdk', 'paysafe-payments'], 'versions': ['paysafe-checkout@1.0.0', 'paysafe-checkout@1.0.1', 'paysafe-checkout@1.0.2', 'paysafe-checkout@1.0.3', 'paysafe-vault@1.0.0', 'paysafe-vault@1.0.1', 'paysafe-vault@1.0.2', 'paysafe-vault@1.0.3', 'neteller@1.0.0', 'neteller@1.0.1', 'neteller@1.0.2', 'neteller@1.0.3', 'skrill-payments@1.0.0', 'skrill-payments@1.0.1', 'skrill-payments@1.0.2', 'skrill-payments@1.0.3', 'paysafe-js@1.0.0', 'paysafe-js@1.0.1', 'paysafe-js@1.0.2', 'paysafe-js@1.0.3', 'paysafe-api@1.0.0', 'paysafe-api@1.0.1', 'paysafe-api@1.0.2', 'paysafe-api@1.0.3', 'paysafe-node@1.0.0', 'paysafe-node@1.0.1', 'paysafe-node@1.0.2', 'paysafe-node@1.0.3', 'paysafe-cards@1.0.0', 'paysafe-cards@1.0.1', 'paysafe-cards@1.0.2', 'paysafe-cards@1.0.3', 'paysafe-fraud@1.0.0', 'paysafe-fraud@1.0.1', 'paysafe-fraud@1.0.2', 'paysafe-fraud@1.0.3', 'paysafe-kyc@1.0.0', 'paysafe-kyc@1.0.1', 'paysafe-kyc@1.0.2', 'paysafe-kyc@1.0.3', 'skrill@1.0.0', 'skrill@1.0.1', 'skrill@1.0.2', 'skrill@1.0.3', 'skrill-sdk@1.0.0', 'skrill-sdk@1.0.1', 'skrill-sdk@1.0.2', 'skrill-sdk@1.0.3', 'paysafe-payments@1.0.0', 'paysafe-payments@1.0.1', 'paysafe-payments@1.0.2', 'paysafe-payments@1.0.3', 'pypi:paysafe-kyc@1.0.0', 'pypi:paysafe-payments@1.0.0', 'pypi:paysafe-sdk@1.0.0', 'pypi:paysafe-api@1.0.0'], 'files': ['index.js', '__init__.py'], 'domains': ['caliber-spinner-finishing.ngrok-free.dev'], 'ips': [], 'hashes': []}
def scan(path):
 try:
  text=path.read_text(errors="replace").lower()
 except OSError:
  return []
 hits=[]
 for kind,vals in IOCS.items():
  for value in vals:
   if value.lower() in text: hits.append({"type":kind,"value":value,"path":str(path)})
 return hits
def main():
 from pathlib import Path
 ap=argparse.ArgumentParser(); ap.add_argument("paths",nargs="+"); ap.add_argument("--json",action="store_true"); a=ap.parse_args(); hits=[]
 for raw in a.paths:
  p=Path(raw)
  if p.is_file(): hits += scan(p)
  elif p.is_dir():
   for f in p.rglob("*"):
    if f.is_file(): hits += scan(f)
 if a.json: print(json.dumps({"hits":hits},indent=2))
 else:
  for h in hits: print(f"{h['type']}\t{h['value']}\t{h['path']}")
 return 2 if hits else 0
if __name__=="__main__": raise SystemExit(main())

Provenance & Sources

1 of 1 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
SocketVendor95%1Seventeen coordinated payment-brand typosquats across npm and PyPI impersonated SDKs and exfiltrated environment secrets to an ngrok host.
Paysafe, Skrill, and Neteller npm/PyPI typosquats steal developer secrets — Halting Problems