Supply-chain threat intelligence
Risk score
92
Indexed incident for skrill-sdk (npm).
Package publishes as skrill-sdk and exposes a PaysafeClient API (payments.create/get, customers.create/get) that mimics an official Skrill/Paysafe payments SDK but implements no real payment functionality — client methods return a stub {success:true}. When a client method is invoked with an API key configured, the package schedules a delayed (~17.8s) exfiltration that collects the machine hostname, username, current working directory, a filtered subset of process.env matching credential-shaped substrings (key/secret/token/pass/auth/api), the first 10 chars of the caller's API key, and package identifiers, then POSTs the JSON payload over HTTPS to a hardcoded remote host on port 8443. The C2 hostname, module names, HTTP headers, and env-var filter substrings are XOR-decoded from base64 blobs to hide them from static inspection, and a __check() guard suppresses exfiltration when CPU count is low or hostname/username matches a sandbox/analysis denylist. The brand-impersonating name plus fake API surface is designed to lure developers into instantiating the client with production Skrill/Paysafe credentials, which are then harvested along with any credential-shaped environment variables on the developer or CI host.
Affected versions
Indicators
Timeline