Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in skrill-payments (npm)

skrill-payments

Risk score

92

AI summary

Indexed incident for skrill-payments (npm).

Description

Package impersonates a Paysafe/Skrill payments SDK (name 'skrill-payments', class PaysafeClient, spoofed 'github.com/paysafe/skrill-payments' repository URL) but implements no real Skrill API — advertised methods (payments.create/get, customers.create/get) return mock {success:true} responses and instead invoke a hidden __exfil routine. On any advertised method call, after a ~19.7s delay, the package enumerates process.env, filters keys whose names contain 'key', 'secret', 'token', 'pass', 'auth', or 'api', and packages the first 100 characters of each matching value together with the hostname, OS username, cwd, package name, timestamp, and a prefix of the caller-supplied apiKey. The payload is JSON-serialized and POSTed via require('http').request to a hardcoded remote host on port 8443. All sensitive strings (destination hostname, HTTP method, env-var substrings, and the 'http'/'os' require targets) are stored as base64 ciphertext XOR-decoded at runtime with a hardcoded 16-byte key; the C2 hostname uses an additional char-shift+reverse layer. Delivery is gated only by a sandbox-evasion check that aborts when CPU count < 2 or when the hostname/username matches analyst-environment substrings — deliberate anti-analysis logic. The combination of impersonation-as-lure, mock API surface, XOR/base64 string obfuscation, credential-shaped env-var scraping, hardcoded C2 exfiltration, and sandbox evasion is unambiguous supply-chain malware targeting developer workstations that install or use the package.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents