Supply-chain threat intelligence
Risk score
92
Indexed incident for neteller (npm).
Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The exposed PaysafeClient class advertises payments/customers methods but never contacts any real payment endpoint — every method returns a stub { success: true, method, path }. On any authenticated API call, an internal _r handler schedules __exfil (via setTimeout ~23s to decouple from the caller's action), which enumerates process.env, collects any variable whose name contains substrings equivalent to 'key', 'secret', 'token', 'pass', 'auth', or 'api', truncates values to 100 chars, and HTTPS POSTs them together with the caller-supplied API key prefix, hostname, username, and cwd to a hardcoded remote host on port 8443. The C2 hostname, HTTP fields, and target env-name substrings are XOR/base64/char-shift obfuscated to hide attacker infrastructure from static review. An anti-analysis gate (__check) inspects os.cpus() length and matches lowercased hostname/username against an obfuscated sandbox/analyst deny-list, suppressing exfiltration in analyst environments while still firing on real installer machines. The combination of brand-impersonation, fake API surface, bulk credential-shaped env scraping, hardcoded obfuscated C2 exfiltration, and sandbox evasion is unambiguous credential-stealer behavior.
Affected versions
Indicators
Timeline