← Back to feed

Fake Payment SDK Supply Chain Attack — 17 Malicious npm/PyPI Packages Targeting Payment Developers (July 7, 2026)

Date: 2026-07-16
Tags: supply-chain

Executive Summary

On July 7, 2026, automated security scanners detected a cluster of 17 malicious packages published nearly simultaneously across the npm and PyPI registries. These packages were designed to mimic legitimate software development kits (SDKs) for major payment platforms, specifically PaySafe, Skrill, and Neteller, leveraging typosquatting and deceptive naming conventions to trick developers into integrating malicious code.

Campaign Summary

FieldDetail
Campaign / MalwareFake Payment SDK Typosquatting Campaign
AttributionUnknown (confidence: none)
TargetPayment platform developers; financial software engineers; development environments integrating payment processing
VectorTyposquatted npm and PyPI packages impersonating legitimate payment SDKs
Statusactive
First Observed2026-07-07

Detailed Findings

On July 7, 2026, automated security scanners detected a cluster of 17 malicious packages published nearly simultaneously across the npm and PyPI registries. Once installed, the malware's primary goal is to steal credentials and tokens, silently harvesting sensitive information from developer machines and continuous integration (CI) runners, ultimately exfiltrating it to external infrastructure. The campaign represents a targeted attack against a high-value vertical: payment processing developers, where compromised credentials provide access to payment gateway accounts, transaction data, and financial APIs. The use of simultaneous publishing suggests automated tooling or coordinated team deployment.

MITRE ATT&CK Mapping

TechniqueIDContext
Supply Chain CompromiseT1195.001Malicious packages in npm and PyPI package registries
Credential DumpingT1110.004Harvesting and exfiltration of developer credentials and payment API tokens
ExecutionT1204.001Code execution via npm install / pip install during dependency resolution

IOCs

Domains

_17 malicious packages total; specific package names and versions not disclosed in Cyberpress source; Skrill, PaySafe, Neteller SDKs were impersonated_

Full URL Paths

_17 malicious packages total; specific package names and versions not disclosed in Cyberpress source; Skrill, PaySafe, Neteller SDKs were impersonated_

Splunk Format

_No IOCs available for Splunk query_

Affected Platforms

npm
PyPI

Detection Recommendations

For payment software developers: audit all recently installed dependencies from npm and PyPI, particularly those matching payment platform names (PaySafe, Skrill, Neteller). Compare installed package names against official package registry links from legitimate payment vendors. Implement package integrity verification using npm/PyPI provenance checksums. Monitor for unexpected network connections from development machines to unfamiliar exfiltration endpoints. For package registry maintainers: implement enhanced typosquatting detection algorithms comparing package names against established brands using edit-distance and levenshtein metrics.

References