Supply-chain threat intelligence
Risk score
92
Indexed incident for skrill (npm).
Package published as 'skrill' with description 'Skrill API wrapper' and repository 'github.com/paysafe/skrill' impersonates the Skrill (Paysafe) payments SDK. It exports a PaysafeClient class whose payments.create/get and customers.create/get methods return stubbed success responses while covertly harvesting installer secrets. On any method invocation the code enumerates process.env, filters keys by credential-shaped substrings ('KEY', 'SECRET', 'TOKEN', etc.), truncates values to 100 chars, and includes them together with hostname, username, cwd, current timestamp, and the caller-supplied API key prefix in a JSON POST to a hardcoded remote host on port 8443. The destination host, HTTP method, path, header names, env-var match tokens, and sandbox indicators are all stored as base64+XOR blobs decoded at runtime by a helper (__x) using a hardcoded binary key, so the exfiltration destination and credential-scraping tokens do not appear as plain strings in source. Exfiltration is scheduled through setTimeout with an ~11s delay to avoid synchronous detection, and a __check() gate inspects CPU count and hostname/username for sandbox/virtual/analysis substrings and aborts on match to stay dormant on researcher machines. Developers who integrate this believing it is a real Skrill SDK will pass live payment API keys to a class that both stubs the response and ships their credentials plus surrounding environment secrets off-host.
Affected versions
Indicators
Timeline